Add ENV for app UID

[richlander]

We had a discussion about how folks should use the new app user and whether they should use its name or UID for the USER instruction. We decided that the UID is best since it works better with the runAsNonUser Kubernetes feature.

Plan:

• Add ENV APP_UID=64198 to runtime-deps layer
• Encourage users to use the following pattern: USER $APP_UID

It's possible that having an ENV for the UID may be useful for other scenarios.

@karolz-ms

[tmds]

We decided that the UID is best since it works better with the runAsNonUser Kubernetes feature.

@richlander can you elaborate what this means?

[richlander]

Per my observations:

• Kubernetes enables you to set and/or test the container user.
• Kubernetes only knows about UIDs.
• If you test the user with runAsNonUser but don't set the user in Kubernetes and set the container as a non-root user by name in your Dockerfile, then that test will fail.

Do you observe same?

[richlander]

You can use these samples to test: #4502

[tmds]

#4502

This has the answer I was looking for: for runAsNonRoot: true to work, you need to use the USER <uid> format. Then Kubernetes checks rootless as: UID != 0. If you use the USER <name> format, then Kubernetes can't figure out <name> isn't root.