Unable to run non-root container on kubernetes using workload identity

[MarkTallentire]

Describe the Bug

Unable to run non-root container on kubernetes using workload identity due to permission problems. Documentation has no information on how to resolve this.

Steps to Reproduce

Create a dockerfile that uses USER $APP_UID as its user.
Create a kubernetes manifest with runAsNonRoot: true and allowPrivilegeEscalation: false that utilises a serviceaccount with Azure Workload Identity

The first error is a folder permission error where we have no access to ./App/.IdentityService,

This was resolved this by doing
RUN mkdir -p /app/.IdentityService && chown -R $APP_UID /app/.IdentityService

However this generates a second error

System.DllNotFoundException: Unable to load shared library 'libsecret-1.so.0' or one of its dependencies. In order to help diagnose loading problems, consider using a tool like strace.

Im unsure how to proceed from here, this image works fine when running as root.

Other Information

.Net8
Kubernetes 1.30.4

Output of docker version

Docker version 27.0.3, build 7d4bcd8

[lbussell]

[Triage] @MarkTallentire which .NET image/tag are you using? And are you using the Azure SDK to set up Workload Identity?

[MarkTallentire]

Hi @lbussell, sorry. This is using mcr.microsoft.com/dotnet/aspnet:8.0 built with mcr.microsoft.com/dotnet/sdk:8.0 and I believe the error is coming from this line of code

builder.Configuration.AddAzureKeyVault(new Uri($"https://{keyVaultName}.vault.azure.net/"), new DefaultAzureCredential());

This is all running on AKS

[MarkTallentire]

Closing this as incorrect. I noticed some incorrect packages in our config that caused this. Mainly Azure.Identity was an incorrect version. All working now.

Sorry!