Rootless builds

[smlx]

While working on uselagoon/lagoon#2481 I noticed that the build pods are running as root. I just wanted to start a discussion about the best way to update them to run as a non-root user.

Do you see any issues with running as a different user? And where would be the best place to define a securityContext on the build pod? Hard-coding it in lagoon-kbd would be one way.. but is that the best way to go?

[shreddedbacon]

I don't think there would be any issues running builds as a different user for the majority of the build. The only thing that could be an issue is being able to run docker build to build out the images before pushing them.

And where would be the best place to define a securityContext on the build pod? Hard-coding it in lagoon-kbd would be one way.. but is that the best way to go?

The pod spec is defined in code, so adding the security context there would make sense. If it is a static config, if there are variables that need to be injected, we can still probably accomodate this.