codice · dcruver · Feb 20, 2026 · Feb 20, 2026 · Feb 20, 2026
diff --git a/keip-integration/Dockerfile b/keip-integration/Dockerfile
@@ -1,7 +1,7 @@
 # Local development Dockerfile. CI releases use the Jib Maven plugin (see pom.xml).
 FROM eclipse-temurin:21-jre@sha256:34a58218d838035428163eb35abb629944c5906d1bedcfef8bc8864cce11dfe5
-RUN groupadd --system appgroup && useradd --system --gid appgroup appuser
+RUN groupadd --system --gid 999 appgroup && useradd --system --uid 999 --gid appgroup appuser
 COPY target/app.jar /app/app.jar
-RUN chown -R appuser:appgroup /app
-USER appuser
+RUN chown -R 999:999 /app
+USER 999
 ENTRYPOINT ["java", "-Djdk.httpclient.HttpClient.log=errors,requests", "-Dspring.config.location=/var/spring/config/", "-jar", "/app/app.jar"]
diff --git a/keip-integration/pom.xml b/keip-integration/pom.xml
@@ -12,7 +12,7 @@
 
     <groupId>org.codice.keip</groupId>
     <artifactId>keip-integration</artifactId>
-    <version>0.5.0</version>
+    <version>0.6.0</version>
 
     <properties>
         <docker.registry>ghcr.io/codice</docker.registry>
@@ -108,6 +108,7 @@
                         <image>eclipse-temurin:21-jre@sha256:34a58218d838035428163eb35abb629944c5906d1bedcfef8bc8864cce11dfe5</image>
                     </from>
                     <container>
+                        <user>999</user>
                         <creationTime>${maven.build.timestamp}</creationTime>
                         <jvmFlags>
                             <jvmFlag>-Dspring.config.location=/var/spring/config/</jvmFlag>

diff --git a/operator/Makefile b/operator/Makefile
@@ -1,4 +1,4 @@
-VERSION ?= 0.16.0
+VERSION ?= 0.17.0
 GIT_TAG := operator_v$(VERSION)
 
 KUBECTL := kubectl

diff --git a/operator/controller/keip-controller-props.yaml b/operator/controller/keip-controller-props.yaml
@@ -4,4 +4,4 @@ metadata:
   name: keip-controller-props
   namespace: keip
 data:
-  integration-image: "ghcr.io/codice/keip/keip-integration:0.5.0"
+  integration-image: "ghcr.io/codice/keip/keip-integration:0.6.0"
diff --git a/operator/controller/webhook-deployment.yaml b/operator/controller/webhook-deployment.yaml
@@ -27,11 +27,12 @@ spec:
       serviceAccountName: keip-controller-service
       securityContext:
         runAsNonRoot: true
+        runAsUser: 999
         seccompProfile:
           type: RuntimeDefault
       containers:
         - name: webhook
-          image: ghcr.io/codice/keip/webapp:0.19.0
+          image: ghcr.io/codice/keip/webapp:0.20.0
           ports:
             - containerPort: 7080
               name: webhook-http

diff --git a/webapp/Dockerfile b/webapp/Dockerfile
@@ -2,7 +2,7 @@ FROM python:3.11-slim
 
 LABEL org.opencontainers.image.source=https://github.com/codice/keip
 
-RUN groupadd --system appgroup && useradd --system --gid appgroup appuser
+RUN groupadd --system --gid 999 appgroup && useradd --system --uid 999 --gid appgroup appuser
 
 WORKDIR /code/webapp
 
@@ -13,6 +13,6 @@ COPY . .
 
 RUN chown -R appuser:appgroup /code
 ENV PYTHONDONTWRITEBYTECODE=1
-USER appuser
+USER 999
 
 ENTRYPOINT ["python", "-m", "uvicorn", "webapp.app:app", "--host", "0.0.0.0", "--port", "7080", "--app-dir", "/code"]
diff --git a/webapp/Makefile b/webapp/Makefile
@@ -1,4 +1,4 @@
-VERSION ?= 0.19.0
+VERSION ?= 0.20.0
 HOST_PORT ?= 7080
 GIT_TAG := webapp_v$(VERSION)
 

diff --git a/webapp/core/sync.py b/webapp/core/sync.py
@@ -341,6 +341,8 @@ def _create_pod_template(parent, labels, integration_image) -> Mapping[str, Any]
             "serviceAccountName": "integrationroute-service",
             "securityContext": {
                 "runAsNonRoot": True,
+                "runAsUser": 999,
+                "fsGroup": 999,
                 "seccompProfile": {"type": "RuntimeDefault"},
             },
             "containers": [
@@ -372,7 +374,7 @@ def _create_pod_template(parent, labels, integration_image) -> Mapping[str, Any]
                             "port": management_port,
                             "scheme": scheme,
                         },
-                        "failureThreshold": 12,
+                        "failureThreshold": 24,
                         "timeoutSeconds": 3,
                     },
                 },

diff --git a/webapp/core/test/json/full-response.json b/webapp/core/test/json/full-response.json
@@ -38,6 +38,8 @@
             "serviceAccountName": "integrationroute-service",
             "securityContext": {
               "runAsNonRoot": true,
+              "runAsUser": 999,
+              "fsGroup": 999,
               "seccompProfile": {
                 "type": "RuntimeDefault"
               }
@@ -103,7 +105,7 @@
                     "port": 8443,
                     "scheme": "HTTPS"
                   },
-                  "failureThreshold": 12,
+                  "failureThreshold": 24,
                   "timeoutSeconds": 3
                 },
                 "env": [

diff --git a/webapp/routes/test/json/full-route-response.json b/webapp/routes/test/json/full-route-response.json
@@ -31,6 +31,8 @@
             "serviceAccountName": "integrationroute-service",
             "securityContext": {
               "runAsNonRoot": true,
+              "runAsUser": 999,
+              "fsGroup": 999,
               "seccompProfile": {
                 "type": "RuntimeDefault"
               }
@@ -79,7 +81,7 @@
                     "port": 8443,
                     "scheme": "HTTPS"
                   },
-                  "failureThreshold": 12,
+                  "failureThreshold": 24,
                   "timeoutSeconds": 3
                 },
                 "env": [