Let's say we try the impossible: a rootless build, but in a very restricted use case: adding 1 new layer with just 1 simple "rootless" COPY (or cp) directive (to a non-root-owned /tmp folder) to an existing docker image (that was built with a few USER root directives, which is rather unavoidable).
Some of the options I explored:
- BuildKit CLI for
kubectl(Tanzu) - Kaniko
- Moby BuildKit
- Podman (Buildah)
- Skopeo
but have so far not found any working proofs of concept that would be truly rootless. Even the very unpacking of the base image seems to require root (while it is not required to untar standard archives).
Note: "rootless" is defined here like this: if securityContext needs to be set in a specific permissive way (e.g. by setting seccompProfile.type field to Unconfined like this), it won't count as a solution (won't work in a security-hardened setup).
