Access to the path /usr/share\OPC Foundation\pki\own is denied - this happens when deploying the OPC UA server

Question

I have a Dockerfile for a DOTNET application with multi layered image where my first image creates the artifacts and my second image copies the artifacts from first and used for deployment.

1. I am creating a docker user and a group to avoid the root permission to the user.
2. when i deploy the application in the kubernetes cluster it doesn't run with the user created.
3. I am facing issue in accessing the default OPC UA server certificate path and can anyone tell me how to achieve this without providing the root permission to the user.
4. I also tried to change the location of the certificate in the configmap so that i can store in the image.

FROM mcr.microsoft.com/dotnet/core/sdk:3.1-focal AS build

# passing the root and nuget TLS certificates for the package to download 
COPY ./CIdependencies/rootca.cer /etc/ssl/certs/rootca.cer
COPY ./CIdependencies/nuget.cer /etc/ssl/certs/nuget.cer
WORKDIR /etc/ssl/certs
RUN openssl x509 -inform DER -in nuget.cer -out nuget.crt \
    && openssl x509 -inform PEM -in rootca.cer -out rootca.crt \
    && update-ca-certificates \
    && echo $PWD
WORKDIR /src
EXPOSE 62501
COPY ["OPCUAServer.csproj", ""]
RUN dotnet restore "./OPCUAServer.csproj"
COPY . .
WORKDIR "/src/."
RUN dotnet build "OPCUAServer.csproj" -c Release -o /app/build \
    && dotnet publish "OPCUAServer.csproj" -c Release -o /app/publish
FROM ubuntu:20.04
ARG GIT_COMMIT
ARG DS_VERSION=0.0.0.0
# passing the root certificates for the package to download
COPY ./CIdependencies/zscaler-rootca.cer /etc/ssl/certs/rootca.cer
LABEL Name=OPCUAServer Version=$DS_VERSION git_commit=$GIT_COMMIT
#runtime-deps and runtime
RUN apt-get update \
    && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
    && rm -rf /var/lib/apt/lists/*
    ENV \
    # Configure web servers to bind to port 80 when present
    ASPNETCORE_URLS=http://+:8079 \
    # Enable detection of running in a container
    DOTNET_RUNNING_IN_CONTAINER=true

# Install .NET Core and ASPdotnet.3.1. focal
RUN dotnet_version=3.1.18 \
# passing the root certificates for the package to download 
    && curl -fsl --cacert /etc/ssl/certs/rootca.cer --output dotnet.tar.gz https://dotnetcli.azureedge.net/dotnet/Runtime/$dotnet_version/dotnet-runtime-$dotnet_version-linux-x64.tar.gz \
    && dotnet_sha512='6f06dbc4625fa8a0e64ffb9269b5f657e369fd28e7f27bfd05d4f422c6aa95847b5089d70760024bdf1100990dbbffce220a' \
    && echo "$dotnet_sha512  dotnet.tar.gz" | sha512sum -c - \
    && mkdir -p /usr/share/dotnet \
    && tar -ozxf dotnet.tar.gz -C /usr/share/dotnet \
    && rm dotnet.tar.gz \
    && ln -s /usr/share/dotnet/dotnet /usr/bin/dotnet \
    && aspnetcore_version=3.1.18 \ 
    && curl -fsl --cacert /etc/ssl/certs/zscaler-rootca.cer --output aspnetcore.tar.gz https://dotnetcli.azureedge.net/dotnet/aspnetcore/Runtime/$aspnetcore_version/aspnetcore-runtime-$aspnetcore_version-linux-x64.tar.gz \
    && aspnetcore_sha512='be29a7611941d9b20d5d3ece64d3ce3c2342ba24bf0382eed3625713ce89957fa15671403af16ccb588397fc0b27e7f028952213e08db6' \
    && echo "$aspnetcore_sha512  aspnetcore.tar.gz" | sha512sum -c - \
    && tar -ozxf aspnetcore.tar.gz -C /usr/share/dotnet ./shared/Microsoft.AspNetCore.App \
    && rm aspnetcore.tar.gz 
    
# Create a user, group and providing permission to access the built files
WORKDIR /app
RUN groupadd -r opc && useradd --no-log-init -r -g opc opc
USER opc
COPY --from=build --chown=opc:opc /app/publish .
ENTRYPOINT ["dotnet", "OPCUAServer.dll"]

Answer 1

From the error message, it is permission issue. Please just grant full permission to your folder and you can test it again.