Guidance on .NET 8 non-root container in K8S accessing a secret mounted as a volume?

[SeanKilleen]

Background

I am newer to Kubernetes and am willing to bet this may be a gap in my knowledge but I can't determine what it is.

We upgraded to .NET 8 containers seamlessly -- worked great! 🎉

Now I'm in the process of locking things down a little bit more, including running as a non-root user.

I have:

• Switched to USER $APP_UID in the Dockerfile
• Updated ports, etc.

Challenge

This Kubernetes pod has a secret binding that shows up as a volume mount. Our app reads this file at runtime.

We're now getting permission errors when trying to read the file located in the binding mount, which I think makes sense, because the volume would be mounted by root as default, and thus preventing access. (though I'm pretty new to this).

I have tried:

• Adding runAsUser: 1654 to the container's security context (I believe 1654 is the default APP_UID?)
• Adding runAsUser: 1654 to the pod's security context
• Adding fsGroup: 2000 to the pod's security context -- I don't fully understand this but I think the intent is to allow that non-root user to read things, and it's in all the examples I've seen.
• Default capabilities for a container (I haven't added any capabilities beyond the defaults yet though)

Question

Are there any guidance or examples of using .NET 8 non-root containers and reading from mounted volumes? If not, I'm willing to contribute back to the docs/samples once I understand it fully.

Any help is appreciated!

[SeanKilleen]

It turns out, I spoke too soon! I must have posted this before appropriately trying the fix.

After isolating the fix, the key change was adding fsGroup: 2000 to the pod's securityContext. I didn't need the additional runAsUser commands.