open-feature
Custom security context
We're facing a issue with the sidecar injection, because it uses a fixed user.
We use a Openshift Cluster and deployed the operator. When we deploy our application we getting the error:
unable to validate against any security context constraint: [pod.metadata.annotations[container.seccomp.security.alpha.kubernetes.io/flagd]: Forbidden: seccomp may not be set
Forbidden: not usable by user or serviceaccount, provider restricted-v2: .containers[1].runAsUser: Invalid value: 65532: must be in the ranges: [1000920000, 1000929999]
Is there something we missed in the configuration or it's currently impossible to use custom user?
65532 corresponds to the UID of the somewhat-standard nonroot user common to "distroless" images.
This UID is commonly used, probably for the same reason your security rule exists (it's an arbitrarily high UID unlikely to be useful in a breakout situation). I'm honestly somewhat surprised you don't see this issue more often since it's used in so many base images.
