Add option to pass in uid

clbx · clbx · commit c0ab928c69f7 · 2025-03-28T15:58:14.000-04:00
diff --git a/src/main.go b/src/main.go
@@ -27,6 +27,7 @@ import (
 
 var image string
 var Version string
+var containerUser int
 
 func main() {
 
@@ -50,6 +51,7 @@ func main() {
 	}
 
 	rootCmd.Flags().StringVarP(&image, "image", "i", "alpine", "Image to mount job to")
+	rootCmd.Flags().IntVarP(&containerUser, "container-user", "u", 0, "User ID to run the container as")
 	kubeConfigFlags.AddFlags(rootCmd.Flags())
 
 	if err := rootCmd.Execute(); err != nil {
@@ -119,6 +121,7 @@ func browseCommand(kubeConfigFlags *genericclioptions.ConfigFlags, pvcName strin
 		cmd:       []string{"/bin/sh", "-c", "--"},
 		args:      commandArgs,
 		node:      node,
+		user:      int64(containerUser),
 	}
 
 	// Build the Job
diff --git a/src/util.go b/src/util.go
@@ -13,6 +13,7 @@ type PodOptions struct {
 	cmd       []string
 	args      []string
 	node      string
+	user      int64
 }
 
 var script = `
@@ -56,6 +57,29 @@ func buildPvcbGetJob(options PodOptions) *batchv1.Job {
 		options.args = []string{script}
 	}
 
+	// Setup SecurityContext
+	var allowPrivilegeEscalation bool
+	var runAsNonRoot bool
+	if options.user == 0 {
+		runAsNonRoot = false
+		allowPrivilegeEscalation = true
+	} else {
+		runAsNonRoot = true
+		allowPrivilegeEscalation = false
+	}
+
+	securityContext := corev1.SecurityContext{
+		RunAsUser:                &options.user,
+		RunAsNonRoot:             &runAsNonRoot,
+		AllowPrivilegeEscalation: &allowPrivilegeEscalation,
+		Capabilities: &corev1.Capabilities{
+			Drop: []corev1.Capability{"ALL"},
+		},
+		SeccompProfile: &corev1.SeccompProfile{
+			Type: "RuntimeDefault",
+		},
+	}
+
 	TTLSecondsAfterFinished := new(int32)
 	*TTLSecondsAfterFinished = 10
 
@@ -78,10 +102,11 @@ func buildPvcbGetJob(options PodOptions) *batchv1.Job {
 					NodeName:      options.node,
 					Containers: []corev1.Container{
 						{
-							Name:    "browser",
-							Image:   image,
-							Command: options.cmd,
-							Args:    options.args,
+							Name:            "browser",
+							Image:           image,
+							Command:         options.cmd,
+							Args:            options.args,
+							SecurityContext: &securityContext,
 							Env: []corev1.EnvVar{
 								{
 									Name:  "PS1",
