fix(catalog): enforce non-root security context on catalog overlay initContainers

[manaswinidas]

Description

The demo and odh catalog overlay initContainers were missing runAsNonRoot and runAsUser in their security contexts, causing Init:CreateContainerConfigError when the pod-level runAsNonRoot: true is enforced by the base deployment (manifests/kustomize/options/catalog/base/deployment.yaml).

Root Cause

The base catalog deployment sets runAsNonRoot: true at the pod level. Kubernetes enforces this on all containers in the pod, including initContainers. Both the demo and odh overlays patched in initContainers without specifying a non-root user:

• demo overlay: perf-data-init uses busybox, which defaults to UID 0 (root)
• odh overlay: catalog-data-init uses quay.io/opendatahub/odh-model-metadata-collection, same missing constraint

Changes

File	Change
manifests/kustomize/options/catalog/overlays/demo/kustomization.yaml	Added runAsNonRoot: true and runAsUser: 65534 to perf-data-init initContainer
manifests/kustomize/options/catalog/overlays/odh/kustomization.yaml	Added runAsNonRoot: true and runAsUser: 65534 to catalog-data-init initContainer
manifests/kustomize/options/catalog/overlays/odh/kustomization.yaml	Fixed invalid kustomize behavior: add → behavior: create (the ConfigMap model-catalog-default-sources does not exist in the base, so create is the correct value)

UID 65534 (nobody) is sufficient because both initContainers only read from configMap mounts and write to emptyDir volumes.

Context

Raised as a result of: kubeflow/manifests#3318 (comment)

The downstream manifests PR (kubeflow/manifests#3318) was blocked on this upstream issue — the demo overlay's perf-data-init container fails with Init:CreateContainerConfigError due to the UID 0 / runAsNonRoot conflict.

How Has This Been Tested?

• Verified that the base deployment enforces runAsNonRoot: true at the pod level
• Confirmed that both initContainers only need read access to configMap mounts and write access to emptyDir volumes, both of which work with UID 65534
• Confirmed that the model-catalog-default-sources ConfigMap does not exist in the base kustomization, making create the correct behavior value (not merge or replace)

Merge criteria:

• All the commits have been signed-off (To pass the DCO check)

• The commits have meaningful messages

• Automated tests are provided as part of the PR for major new functionalities; testing instructions have been added in the PR body (for PRs involving changes that are not immediately obvious).

• The developer has manually tested the changes and verified that the changes work.

• Code changes follow the kubeflow contribution guidelines.

• For first time contributors: Please reach out to the Reviewers to ensure all tests are being run, ensuring the label ok-to-test has been added to the PR.

If you have UI changes

• N/A — manifest-only changes, no UI impact.

[Raakshass]

this matches the exact root cause i hit while debugging ci on kubeflow/manifests#3318. applied the same fix locally in 391883a3 to unblock our ci. once this merges and syncs downstream the manifests will be consistent.

uid 65534 is the right call — both init containers only need read on configmap mounts and write on emptydir.

[Al-Pragliola]

/lgtm

[Al-Pragliola]

thanks for addressing this issue @manaswinidas good job!

[Al-Pragliola]

/approve

[google-oss-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Al-Pragliola

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• manifests/kustomize/OWNERS [Al-Pragliola]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment