Does Kuberenetes use the USER instruction from the Dockerfile?

Question

Consider a Dockerfile that uses the USER instruction for example

FROM adoptopenjdk:11-jre-hotspot as builder
WORKDIR application
ARG JAR_FILE=build/libs/*.jar
COPY ${JAR_FILE} application.jar
RUN java -Djarmode=layertools -jar application.jar extract

FROM adoptopenjdk:11-jre-hotspot
WORKDIR application
COPY --from=builder application/dependencies/ ./
COPY --from=builder application/spring-boot-loader ./
COPY --from=builder application/snapshot-dependencies/ ./
COPY --from=builder application/application/ ./
VOLUME /tmp
EXPOSE 8080
USER nobody
ENTRYPOINT ["java", "org.springframework.boot.loader.JarLauncher"]

When Kuberenets runs the docker image does it respect the USER instruction or does it ignore it?

If the user does not exist in the K8s cluster does K8s create the user?

Answer 1

In Kubernetes, when it runs a Docker container, it does not directly respect the USER instruction from the Dockerfile. The USER instruction in Dockerfile sets the username or UID to use when running the image, but Kubernetes can manage the user permissions itself. It can use the securityContext feature to alter the UID/USER Example:

apiVersion: v1
kind: Pod
metadata:
  name: security-context-demo
spec:
  securityContext:
    runAsUser: 1000
    runAsGroup: 3000
    fsGroup: 2000
  volumes:
  - name: sec-ctx-vol
    emptyDir: {}
  containers:
  - name: sec-ctx-demo
    image: busybox:1.28
    command: [ "sh", "-c", "sleep 1h" ]
    volumeMounts:
    - name: sec-ctx-vol
      mountPath: /data/demo
    securityContext:
      allowPrivilegeEscalation: false

Check the docs for it here

If you are not using this feature it will just "inherit" the Dockerfile insturctions

Answer 2

Yes, it does. That's an important feature when securing containers (although using gosu or a similar tool would provide similar security).