Make all container able to run as an arbitrary user ID (non-root)

Problem to solve

A container should never run as root user since it is a security flaw.

The operator currently runs the postgres image and other images as a fixed user id, this caused some problems on more restricted environments like openshift.

Further details

Kubernetes compatible platform like OpenShift disallow run a container as root by default.

The best solution is to build the application image so it can be run as an arbitrary user ID. This avoids the risks associated with having to run an application as the root user ID, or other fixed user ID which may be shared with applications in other projects.

Proposal

Make all containers spawned by StackGres helm charts and operator run with non-root user.

Testing

The filesystem permissions could be tricky to work with, so this should test some combination of deleting pods, changing pvc, etc.

Links / references

• https://dev.to/techworld_with_nana/run-pod-with-root-privileges-41n9
• https://opensource.com/article/18/3/just-say-no-root-containers
• https://www.openshift.com/blog/jupyter-on-openshift-part-6-running-as-an-assigned-user-id
• https://cookbook.openshift.org/users-and-role-based-access-control/how-can-i-enable-an-image-to-run-as-a-set-user-id.html