ko-build · maxbrunet · Mar 23, 2024
diff --git a/docs/reference/ko_apply.md b/docs/reference/ko_apply.md
@@ -53,6 +53,7 @@ ko apply -f FILENAME [flags]
   -h, --help                     help for apply
       --image-label strings      Which labels (key=value) to add to the image.
       --image-refs string        Path to file where a list of the published image references will be written.
+      --image-user string        The default user the image should be run as.
       --insecure-registry        Whether to skip TLS verification on the registry
   -j, --jobs int                 The maximum number of concurrent builds (default GOMAXPROCS)
   -L, --local                    Load into images to local docker daemon.

diff --git a/docs/reference/ko_build.md b/docs/reference/ko_build.md
@@ -49,6 +49,7 @@ ko build IMPORTPATH... [flags]
   -h, --help                     help for build
       --image-label strings      Which labels (key=value) to add to the image.
       --image-refs string        Path to file where a list of the published image references will be written.
+      --image-user string        The default user the image should be run as.
       --insecure-registry        Whether to skip TLS verification on the registry
   -j, --jobs int                 The maximum number of concurrent builds (default GOMAXPROCS)
   -L, --local                    Load into images to local docker daemon.

diff --git a/docs/reference/ko_create.md b/docs/reference/ko_create.md
@@ -53,6 +53,7 @@ ko create -f FILENAME [flags]
   -h, --help                     help for create
       --image-label strings      Which labels (key=value) to add to the image.
       --image-refs string        Path to file where a list of the published image references will be written.
+      --image-user string        The default user the image should be run as.
       --insecure-registry        Whether to skip TLS verification on the registry
   -j, --jobs int                 The maximum number of concurrent builds (default GOMAXPROCS)
   -L, --local                    Load into images to local docker daemon.

diff --git a/docs/reference/ko_resolve.md b/docs/reference/ko_resolve.md
@@ -46,6 +46,7 @@ ko resolve -f FILENAME [flags]
   -h, --help                     help for resolve
       --image-label strings      Which labels (key=value) to add to the image.
       --image-refs string        Path to file where a list of the published image references will be written.
+      --image-user string        The default user the image should be run as.
       --insecure-registry        Whether to skip TLS verification on the registry
   -j, --jobs int                 The maximum number of concurrent builds (default GOMAXPROCS)
   -L, --local                    Load into images to local docker daemon.

diff --git a/docs/reference/ko_run.md b/docs/reference/ko_run.md
@@ -37,6 +37,7 @@ ko run IMPORTPATH [flags]
   -h, --help                     help for run
       --image-label strings      Which labels (key=value) to add to the image.
       --image-refs string        Path to file where a list of the published image references will be written.
+      --image-user string        The default user the image should be run as.
       --insecure-registry        Whether to skip TLS verification on the registry
   -j, --jobs int                 The maximum number of concurrent builds (default GOMAXPROCS)
   -L, --local                    Load into images to local docker daemon.

diff --git a/pkg/build/gobuild.go b/pkg/build/gobuild.go
@@ -101,6 +101,7 @@ type gobuild struct {
 	platformMatcher      *platformMatcher
 	dir                  string
 	labels               map[string]string
+	user                 string
 	debug                bool
 	semaphore            *semaphore.Weighted
 
@@ -126,6 +127,7 @@ type gobuildOpener struct {
 	defaultLdflags       []string
 	platforms            []string
 	labels               map[string]string
+	user                 string
 	dir                  string
 	jobs                 int
 	debug                bool
@@ -145,6 +147,7 @@ func (gbo *gobuildOpener) Open() (Interface, error) {
 	return &gobuild{
 		ctx:                  gbo.ctx,
 		getBase:              gbo.getBase,
+		user:                 gbo.user,
 		creationTime:         gbo.creationTime,
 		kodataCreationTime:   gbo.kodataCreationTime,
 		build:                gbo.build,
@@ -1164,6 +1167,10 @@ func (g *gobuild) buildOne(ctx context.Context, refStr string, base v1.Image, pl
 		cfg.Config.Labels[k] = v
 	}
 
+	if g.user != "" {
+		cfg.Config.User = g.user
+	}
+
 	empty := v1.Time{}
 	if g.creationTime != empty {
 		cfg.Created = g.creationTime

diff --git a/pkg/build/gobuild_test.go b/pkg/build/gobuild_test.go
@@ -844,6 +844,7 @@ func TestGoBuild(t *testing.T) {
 		withSBOMber(fauxSBOM),
 		WithLabel("foo", "bar"),
 		WithLabel("hello", "world"),
+		WithUser("1234:1234"),
 		WithPlatforms("all"),
 	)
 	if err != nil {
@@ -898,6 +899,19 @@ func TestGoBuild(t *testing.T) {
 			t.Fatalf("Labels diff (-got,+want): %s", d)
 		}
 	})
+
+	t.Run("check user", func(t *testing.T) {
+		cfg, err := img.ConfigFile()
+		if err != nil {
+			t.Fatalf("ConfigFile() = %v", err)
+		}
+
+		want := "1234:1234"
+		got := cfg.Config.User
+		if got != want {
+			t.Fatalf("User: %s != %s", want, got)
+		}
+	})
 }
 
 func TestGoBuild_Defaults(t *testing.T) {

diff --git a/pkg/build/options.go b/pkg/build/options.go
@@ -142,6 +142,14 @@ func WithLabel(k, v string) Option {
 	}
 }
 
+// WithUser is a functional option for overriding the user in the image config.
+func WithUser(user string) Option {
+	return func(gbo *gobuildOpener) error {
+		gbo.user = user
+		return nil
+	}
+}
+
 // withBuilder is a functional option for overriding the way go binaries
 // are built.
 func withBuilder(b builder) Option {

diff --git a/pkg/commands/options/build.go b/pkg/commands/options/build.go
@@ -65,6 +65,7 @@ type BuildOptions struct {
 	SBOMDir              string
 	Platforms            []string
 	Labels               []string
+	User                 string
 	Debug                bool
 	// UserAgent enables overriding the default value of the `User-Agent` HTTP
 	// request header used when retrieving the base image.
@@ -95,6 +96,8 @@ func AddBuildOptions(cmd *cobra.Command, bo *BuildOptions) {
 		"Which platform to use when pulling a multi-platform base. Format: all | <os>[/<arch>[/<variant>]][,platform]*")
 	cmd.Flags().StringSliceVar(&bo.Labels, "image-label", []string{},
 		"Which labels (key=value) to add to the image.")
+	cmd.Flags().StringVar(&bo.User, "image-user", "",
+		"The default user the image should be run as.")
 	cmd.Flags().BoolVar(&bo.Debug, "debug", bo.Debug,
 		"Include Delve debugger into image and wrap around ko-app. This debugger will listen to port 40000.")
 	bo.Trimpath = true

diff --git a/pkg/commands/resolver.go b/pkg/commands/resolver.go
@@ -120,6 +120,10 @@ func gobuildOptions(bo *options.BuildOptions) ([]build.Option, error) {
 		opts = append(opts, build.WithLabel(parts[0], parts[1]))
 	}
 
+	if bo.User != "" {
+		opts = append(opts, build.WithUser(bo.User))
+	}
+
 	if bo.BuildConfigs != nil {
 		opts = append(opts, build.WithConfig(bo.BuildConfigs))
 	}