Skip to content

docs(debugging): add securityContext and /proc/1/root tips for ephemeral containers#3333

Closed
timm13 wants to merge 2 commits into
chainguard-dev:mainfrom
timm13:feature1
Closed

docs(debugging): add securityContext and /proc/1/root tips for ephemeral containers#3333
timm13 wants to merge 2 commits into
chainguard-dev:mainfrom
timm13:feature1

Conversation

@timm13
Copy link
Copy Markdown
Contributor

@timm13 timm13 commented May 17, 2026

Summary

  • securityContext required for runAsNonRoot pods: wolfi-base runs as root by default. If a pod enforces runAsNonRoot: true (without an explicit runAsUser), adding an ephemeral debug container without a matching securityContext will fail with CreateContainerConfigError: container has runAsNonRoot and image will run as root. Added a #### Pods enforcing runAsNonRoot subsection with an updated patch example.

  • /proc/1/root/ as an alternative to volumeMounts: When targetContainerName is set, the ephemeral container shares the PID namespace and can access the target container's full mount namespace via /proc/1/root/<path> — including both overlay filesystem paths and Kubernetes-backed volumes (emptyDir, configMap, PVCs). This requires matching UIDs. Added a #### Accessing the target container's filesystem without volumeMounts subsection explaining when to use this vs. explicit volumeMounts.

Both additions sourced from customer feedback (ticket #8947) and verified against a live k3d cluster.

Test plan

  • Deployed pod with runAsNonRoot: true (no runAsUser) and confirmed ephemeral wolfi-base container fails with CreateContainerConfigError
  • Added securityContext: {runAsUser: 65532, runAsNonRoot: true} to the patch and confirmed container starts
  • Deployed pod with emptyDir volume at /var/log and file at /tmp (overlay); confirmed both accessible via /proc/1/root/ from ephemeral container without volumeMounts
  • Confirmed /var/log in ephemeral container is empty without explicit volumeMounts

🤖 Generated with Claude Code

timm13 and others added 2 commits May 17, 2026 21:24
@timm13
add how to config Docker credential helper on Windows
e282160
@timm13 @claude
docs(debugging): add securityContext and /proc/1/root tips for epheme…
0b57d75 
…ral containers

Two additions to the Troubleshooting Volume Mounts section, sourced from
customer feedback (ticket #8947):

- Pods enforcing runAsNonRoot: wolfi-base runs as root by default and will
  fail with CreateContainerConfigError unless the ephemeral container patch
  includes a matching securityContext.

- Accessing the target container filesystem without volumeMounts: /proc/1/root/
  traverses the target container's full mount namespace (overlay + Kubernetes
  volumes), provided the ephemeral container runs as the same UID. Explicit
  volumeMounts remain the fallback when security policies block /proc access.

Both points verified against a live k3d cluster.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@timm13 timm13 requested a review from a team as a code owner May 17, 2026 19:25
@netlify
Copy link
Copy Markdown

netlify Bot commented May 17, 2026
edited
Loading

Deploy Preview for ornate-narwhal-088216 ready!

Name Link
🔨 Latest commit 0b57d75
🔍 Latest deploy log https://app.netlify.com/projects/ornate-narwhal-088216/deploys/6a0a16103361040008c2c1e7
😎 Deploy Preview https://deploy-preview-3333--ornate-narwhal-088216.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@timm13 timm13 closed this May 17, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@timm13