While deploying velero Helm chart, I got an error.
Error: container has runAsNonRoot and image has non-numeric user (cnb), cannot verify user is non-root (pod: "velero-85b77f7b4c-j2n99_velero(dc3eece8-4313-4ba3-9412-dfe1765b377f)", container: velero)
This problem arose because I customized the container security context in my helm-values.yaml
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
add: []
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
readOnlyRootFilesystem: trueSee how our containerSecurityContext.runAsNonRoot is set to true? That’s good for security, but it looks like Kubernetes cannot verify that the container is respecting that setting because instead of using a user id number, the image is using a user id string, “cnb.”
Let’s take a closer look at the responsible Dockerfile, docker.io/velero/velero
The very last line tells Docker who the user should run as.
USER cnb:cnbThis is causing the problem, because docker cannot verify that user “cnb” is non-root. To avoid this problem the Dockerfile would need to be something like the following.
USER 1000:1000User 1000 is not the root user (0), so there would be no problem if this is how the Dockerfile was written.
Since velero is a public repository and we can’t easily change the Dockerfile, we need to workaround the issue. We can do this by explicitly setting the uid ourselves in the containerSecurityContext.
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
add: []
runAsNonRoot: true
runAsUser: 1000 # <-- add this
seccompProfile:
type: RuntimeDefault
readOnlyRootFilesystem: true