Update kyaml to specify user for function

kyaml/fn/runtime/container/container.go

@@ -133,6 +133,9 @@ type Filter struct {
 	// StorageMounts is a list of storage options that the container will have mounted.
 	StorageMounts []runtimeutil.StorageMount `yaml:"mounts,omitempty"`
 
+	// User username used to run the application in container,
+	User string
+
 	Exec runtimeexec.Filter
 }
 
@@ -174,14 +177,18 @@ func (c *Filter) getCommand() (string, []string) {
 	if c.Network != "" {
 		network = c.Network
 	}
-
+	// run as nobody by default
+	user := c.User
+	if user == "" {
+		user = "nobody"
+	}
 	args := []string{"run",
 		"--rm",                                              // delete the container afterward
 		"-i", "-a", "STDIN", "-a", "STDOUT", "-a", "STDERR", // attach stdin, stdout, stderr
 		"--network", network,
 
 		// added security options
-		"--user", "nobody", // run as nobody
+		"--user", user,
 		"--security-opt=no-new-privileges", // don't allow the user to escalate privileges
 		// note: don't make fs readonly because things like heredoc rely on writing tmp files
 	}

kyaml/fn/runtime/container/container_test.go

@@ -88,6 +88,26 @@ metadata:
 				},
 			},
 		},
+		{
+			name: "root user",
+			functionConfig: `apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: foo
+`,
+			expectedArgs: []string{
+				"run",
+				"--rm",
+				"-i", "-a", "STDIN", "-a", "STDOUT", "-a", "STDERR",
+				"--network", "none",
+				"--user", "root",
+				"--security-opt=no-new-privileges",
+			},
+			instance: Filter{
+				Image: "example.com:version",
+				User:  "root",
+			},
+		},
 	}
 
 	for i := range tests {

kyaml/fn/runtime/runtimeutil/functiontypes.go

@@ -52,6 +52,9 @@ type ContainerSpec struct {
 
 	// Mounts are the storage or directories to mount into the container
 	StorageMounts []StorageMount `json:"mounts,omitempty" yaml:"mounts,omitempty"`
+
+	// User is the username/uid that application runs as in continer
+	User string `json:"user,omitempty" yaml:"user,omitempty"`
 }
 
 // ContainerNetwork

kyaml/runfn/runfn.go

@@ -87,6 +87,9 @@ type RunFns struct {
 	// this is a variable so it can be mocked in tests
 	functionFilterProvider func(
 		filter runtimeutil.FunctionSpec, api *yaml.RNode) (kio.Filter, error)
+
+	// User username used to run the application in container,
+	User string
 }
 
 // Execute runs the command
@@ -380,11 +383,17 @@ func (r *RunFns) ffp(spec runtimeutil.FunctionSpec, api *yaml.RNode) (kio.Filter
 		atomic.AddUint32(&r.resultsCount, 1)
 	}
 	if !r.DisableContainers && spec.Container.Image != "" {
+		// command line username has higher priority
+		user := spec.Container.User
+		if r.User != "" {
+			user = r.User
+		}
 		// TODO: Add a test for this behavior
 		cf := &container.Filter{
 			Image:         spec.Container.Image,
 			Network:       spec.Network,
 			StorageMounts: r.StorageMounts,
+			User:          user,
 		}
 		cf.Exec.FunctionConfig = api
 		cf.Exec.GlobalScope = r.GlobalScope