WSO2 API Manager Dockerfile userid number for Kubernetes/Openshift

Question

I am trying to deploy on a openshift with helm the deployment chart provided for kubernetes/openshift. But I having a problem with the userid that is included in the original image from WSO2. I have not cluster admin permissions on the openshift cluster, so I cannot modify the SCC policies.

In the Dockerfile for WSO2 API Manager the userid is included via ARG, so once this image once is build this userid number cannot be modified. It can be checked here: https://github.com/wso2/docker-apim/blob/v4.0.0.1/dockerfiles/ubuntu/apim/Dockerfile

# set Docker image build arguments
# build arguments for user/group configurations
ARG USER=wso2carbon
ARG USER_ID=802
ARG USER_GROUP=wso2
ARG USER_GROUP_ID=802

And in the deployment artifact for kubernetes provided by WSO2, that can be checked here https://github.com/wso2/kubernetes-apim/blob/master/simple/am-single/templates/am/instance/wso2am-deployment.yaml, they use this user id in the section:

securityContext:
    runAsUser: 802

But when I deploy this on the openshift cluster I get the following error:

Forbidden: not usable by user or serviceaccount, spec.containers[0].securityContext.runAsUser: Invalid value: 802: must be in the ranges: [1015490000, 1015499999]

It is saying basically that I cannot use a userid below of 1015490000, in this case 802, but I don't know how to override this userid without building myself the Dockerfile from WSO2, because every update or change from the original image I would have to build and it does not seem the best approach to solve this.

If anyone could help me to solve this issue.

Answer 1

You can do the following.

1. Remove User from the dockerfile - https://github.com/wso2/docker-apim/blob/master/dockerfiles/ubuntu/apim/Dockerfile#L76
2. Set permissions for the user directory (${USER_HOME})

RUN chgrp -R 0 /some/directory && chmod -R g=u /some/directory