Fix(image): use fixed user id instead of username (#6413)

fgksgf · web-flow · commit 23b086d6f8b9 · 2025-08-29T08:12:55.000Z
diff --git a/charts/tidb-operator/values.yaml b/charts/tidb-operator/values.yaml
@@ -48,9 +48,10 @@ operator:
 
   # SecurityContext is security config of this component, it will set template.spec.securityContext
   # Refer to https://kubernetes.io/docs/tasks/configure-pod-container/security-context
-  securityContext: {}
-  # runAsUser: 1000
-  # runAsGroup: 2000
+  securityContext:
+    runAsNonRoot: true
+    runAsUser: 1000
+    runAsGroup: 2000
   # fsGroup: 2000
 
   # PodAnnotations will set template.metadata.annotations
diff --git a/image/Dockerfile b/image/Dockerfile
@@ -29,7 +29,11 @@ FROM --platform=$TARGETPLATFORM ghcr.io/pingcap-qe/bases/pingcap-base:v1.10.0@sh
 
 ARG TARGETPLATFORM
 
-USER pingcap:pingcap
+# Use numeric UID:GID instead of username for Kubernetes compatibility.
+# Base image defines: PINGCAP_UID=1000, PINGCAP_GID=2000 (pingcap:pingcap)
+# Kubernetes runAsNonRoot requires numeric user to verify non-root execution.
+# Reference: https://github.com/PingCAP-QE/artifacts/blob/main/dockerfiles/bases/pingcap-base/Dockerfile
+USER 1000:2000
 
 WORKDIR /
 
@@ -41,7 +45,7 @@ FROM --platform=$TARGETPLATFORM ghcr.io/pingcap-qe/bases/pingcap-base:v1.10.0@sh
 
 ARG TARGETPLATFORM
 
-USER pingcap:pingcap
+USER 1000:2000
 
 WORKDIR /
 
@@ -53,7 +57,7 @@ FROM --platform=$TARGETPLATFORM ghcr.io/pingcap-qe/bases/pingcap-base:v1.10.0@sh
 
 ARG TARGETPLATFORM
 
-USER pingcap:pingcap
+USER 1000:2000
 
 WORKDIR /
 
@@ -67,7 +71,7 @@ FROM --platform=$TARGETPLATFORM ghcr.io/pingcap-qe/bases/pingcap-base:v1.10.0@sh
 
 ARG TARGETPLATFORM
 
-USER pingcap:pingcap
+USER 1000:2000
 
 WORKDIR /
 
