TL;DR: Keycloak now runs as a predefined user with a fixed UID, so custom users or permissions may need updating.
| Announcement date | Planned Change date |
| January 26th, 2026 | Has already occurred |
What is changing?
The Chainguard Keycloak image now includes a predefined user with a specific UID. Previously, the image ran as the non-root user. The image now runs all processes as the Keycloak user, aligning more closely with upstream Keycloak behavior.
Why is Chainguard making this change?
This change was implemented to align more closely with upstream’s Keycloak user configuration and provide more consistent behavior across deployment environments.
How will this affect me?
This change will affect customers who have custom Dockerfiles that add a Keycloak user, or any permissions or policies that depend on the previous setup.
What do I need to do?
Review your deployment method and edit any user creation steps or file permission settings that may conflict with the new user.
FAQs
Does this affect other Keycloak images in the Chainguard catalogue?
No, the only image affected by this change is the default Keycloak image.
Need help or have questions?
We're here to help - visit our support portal at support.chainguard.dev.
- Chainguard Team
Comments
0 comments
Please sign in to leave a comment.