make root optional

Author: jbiers

charts/rancher-backup/templates/deployment.yaml

@@ -24,8 +24,10 @@ spec:
         prometheus.io/scrape: "true"
         {{ end }}
     spec:
+      {{- if .Values.securityContext.runAsNonRoot }}
       securityContext:
         fsGroup: 1000
+      {{- end }}
       serviceAccountName: {{ include "backupRestore.serviceAccountName" . }}
       {{- if .Values.imagePullSecrets }}
       imagePullSecrets:
@@ -40,9 +42,11 @@ spec:
         imagePullPolicy: {{ default "Always" .Values.imagePullPolicy }}
         securityContext:
           allowPrivilegeEscalation: false
+        {{- if .Values.securityContext.runAsNonRoot }}
           runAsNonRoot: true
           runAsUser: 1000
           runAsGroup: 1000
+        {{- end }}
         ports:
         - containerPort: 8080
         args:

charts/rancher-backup/values.yaml

@@ -90,3 +90,9 @@ monitoring:
     additionalLabels: {}
     metricRelabelings: []
     relabelings: []
+
+securityContext:
+  ## When persisting backup files to a PVC of type HostPath, set securityContext.runAsNonRoot to false.
+  ## Only processes running as 'root' can write to HostPath PVCs so Backups will fail in that scenario if not running as 'root'.
+  ## However, this goes against Kubernetes security best practices and should be avoided whenever possible.
+  runAsNonRoot: true

package/Dockerfile

@@ -12,5 +12,4 @@ RUN ./scripts/build
 
 FROM registry.suse.com/bci/bci-micro:latest
 COPY --from=builder /usr/src/app/bin/backup-restore-operator  /usr/bin/
-USER 1000
 ENTRYPOINT ["backup-restore-operator"]