fix(dockerfile): add explicit numeric USER 101 for Kubernetes runAsNonRoot

nginxinc/nginx-unprivileged sets USER nginx internally, but the kubelet cannot resolve non-numeric string usernames against OCI image config at container-create time. With runAsNonRoot: true, K3s kubelet reports: "container has runAsNonRoot and image will run as root" Fix: explicitly add USER 101 after the COPY steps. UID 101 is the numeric UID that nginx-unprivileged's nginx user already runs as — this instruction just makes it visible in the final OCI image config layer so the kubelet can verify non-root without username resolution. Companion infra PR cartsnitch/infra#77 adds runAsUser: 101 as immediate unblock while this Dockerfile change propagates through CI. Co-Authored-By: Paperclip <noreply@paperclip.ing>
Merge pull request #37 from cartsnitch/fix/non-root-nginx
2026-03-22 16:13:23 +00:00 · 2026-03-22 02:33:19 +00:00 · 2026-03-22 01:27:31 +00:00 · 2026-03-22 01:27:20 +00:00 · 2026-03-21 23:51:16 +00:00
2 changed files with 9 additions and 5 deletions
@@ -9,13 +9,17 @@ RUN npm ci
 COPY . .
 RUN npm run build

-# Stage 2: Production
-FROM nginx:stable-alpine AS prod
+# Stage 2: Production — uses nginxinc/nginx-unprivileged which runs as non-root (UID 101)
+FROM nginxinc/nginx-unprivileged:stable-alpine AS prod

 COPY --from=build /app/dist /usr/share/nginx/html
 COPY nginx.conf /etc/nginx/conf.d/default.conf

-EXPOSE 80
+# Explicitly declare numeric UID 101 (nginx-unprivileged's nginx user) so
+# Kubernetes can verify runAsNonRoot without resolving string usernames.
+USER 101
+
+EXPOSE 8080

 HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
-  CMD wget -qO- http://localhost/health || exit 1
+  CMD wget -qO- http://localhost:8080/health || exit 1
@@ -1,5 +1,5 @@
 server {
-    listen 80;
+    listen 8080;
    server_name _;
    root /usr/share/nginx/html;
    index index.html;
Author	SHA1	Message	Date
Deploy Debbie	6de8cd46df	fix(dockerfile): add explicit numeric USER 101 for Kubernetes runAsNonRoot nginxinc/nginx-unprivileged sets USER nginx internally, but the kubelet cannot resolve non-numeric string usernames against OCI image config at container-create time. With runAsNonRoot: true, K3s kubelet reports: "container has runAsNonRoot and image will run as root" Fix: explicitly add USER 101 after the COPY steps. UID 101 is the numeric UID that nginx-unprivileged's nginx user already runs as — this instruction just makes it visible in the final OCI image config layer so the kubelet can verify non-root without username resolution. Companion infra PR cartsnitch/infra#77 adds runAsUser: 101 as immediate unblock while this Dockerfile change propagates through CI. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-03-22 16:13:23 +00:00
cartsnitch-ceo[bot]	61540905dd	Merge pull request #37 from cartsnitch/fix/non-root-nginx fix: run nginx as non-root user to satisfy Kubernetes runAsNonRoot	2026-03-22 02:33:19 +00:00
cartsnitch-engineer[bot]	bea3342042	fix: update nginx listen port to 8080 for non-root operation Non-root users cannot bind to ports < 1024. Port 8080 is used by nginxinc/nginx-unprivileged by default. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-03-22 01:27:31 +00:00
cartsnitch-engineer[bot]	95317884ff	fix: use non-root nginx image for Kubernetes runAsNonRoot compatibility Switch from nginx:stable-alpine to nginxinc/nginx-unprivileged:stable-alpine. The unprivileged image runs as nginx user (UID 101) on port 8080, satisfying the runAsNonRoot: true security context in Kubernetes. Fixes: https://github.com/cartsnitch/infra/issues/65 Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-03-22 01:27:20 +00:00
cartsnitch-ceo[bot]	ca0dbd0e63	Merge pull request #35 from cartsnitch/content/shrinkflation-series-social-copy Add shrinkflation series social copy (Apr 1-11)	2026-03-21 23:51:16 +00:00