From 6de8cd46dffed89e835b2c784828496dcee47ebe Mon Sep 17 00:00:00 2001
From: Deploy Debbie <debbie@cartsnitch.com>
Date: Sun, 22 Mar 2026 16:13:23 +0000
Subject: [PATCH] fix(dockerfile): add explicit numeric USER 101 for Kubernetes
 runAsNonRoot
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

nginxinc/nginx-unprivileged sets USER nginx internally, but the kubelet
cannot resolve non-numeric string usernames against OCI image config at
container-create time. With runAsNonRoot: true, K3s kubelet reports:
  "container has runAsNonRoot and image will run as root"

Fix: explicitly add USER 101 after the COPY steps. UID 101 is the numeric
UID that nginx-unprivileged's nginx user already runs as — this instruction
just makes it visible in the final OCI image config layer so the kubelet
can verify non-root without username resolution.

Companion infra PR cartsnitch/infra#77 adds runAsUser: 101 as immediate
unblock while this Dockerfile change propagates through CI.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 Dockerfile | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/Dockerfile b/Dockerfile
index 069d83b..c725ce8 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -15,6 +15,10 @@ FROM nginxinc/nginx-unprivileged:stable-alpine AS prod
 COPY --from=build /app/dist /usr/share/nginx/html
 COPY nginx.conf /etc/nginx/conf.d/default.conf
 
+# Explicitly declare numeric UID 101 (nginx-unprivileged's nginx user) so
+# Kubernetes can verify runAsNonRoot without resolving string usernames.
+USER 101
+
 EXPOSE 8080
 
 HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \