Skip to content

Helm chart bug Fix: Make sure image has nonRoot #195

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Shivs11 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Helm chart bug Fix: Make sure image has nonRoot #195

Shivs11 wants to merge 1 commit into from

Conversation

@Shivs11
Copy link
Member

@Shivs11 Shivs11 commented Jan 28, 2026
edited
Loading

What was changed

  • Make sure that the image, during create time, has the right image config so that kubelet can rightly validate against it.
  • kubelet could not prove that the string "USER nonroot" is not the root. The following changes do that.

Why?

  • Correctness.

Checklist

  1. Closes
    [Bug] Helm chart deployment fails on v1.2.0: "container has runAsNonRoot and image has non-numeric user (nonroot)" #192
    Helm chart: Add runAsUser support to pod securityContext #193

  2. How was this tested:

  1. Any docs updates needed?

@Shivs11 Shivs11 requested review from a team and jlegrone as code owners January 28, 2026 22:20
Shivs11
Shivs11 commented Jan 28, 2026
View reviewed changes
Dockerfile.goreleaser
COPY --chown=nonroot:nonroot temporal-worker-controller /usr/local/bin/temporal-worker-controller

USER nonroot
COPY --chown=65532:65532 temporal-worker-controller /usr/local/bin/temporal-worker-controller
Copy link
Member Author

@Shivs11 Shivs11 Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

also changed this to just have 65532 rather than nonroot to be more reliable: I think --chown=nonroot:nonroot depends on the build environment being able to resolve the names nonroot and nonroot to IDs during the COPY.

no need to maybe take this risk and just be explicit in nature.

@Shivs11 Shivs11 enabled auto-merge (squash) February 2, 2026 19:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jlegrone jlegrone Awaiting requested review from jlegrone jlegrone is a code owner

1 more reviewer

@eniko-dif eniko-dif eniko-dif approved these changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Shivs11 @eniko-dif