and fixed mount name again..

Dockerfile

@@ -4,22 +4,22 @@ FROM debian:bookworm-slim
 ENV DEBIAN_FRONTEND=noninteractive
 
 # Update and install Swiss Army Knife tools
-RUN apt-get update && apt-get install -y     curl     wget     git     jq     unzip     tar     vim     nano     python3     python3-pip     python3-venv     build-essential     iputils-ping     dnsutils     net-tools     nodejs     npm     ffmpeg     openssh-server     sudo     && rm -rf /var/lib/apt/lists/*
+RUN apt-get update && apt-get install -y     curl     wget     git     jq     unzip     tar     vim     nano     python3     python3-pip     python3-venv     build-essential     iputils-ping     dnsutils     net-tools     nodejs     npm     ffmpeg     openssh-server  ripgrep ncdu   sudo     && rm -rf /var/lib/apt/lists/*
 
 # Install yq (binary release for latest version)
 RUN wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O /usr/bin/yq &&     chmod +x /usr/bin/yq
+RUN wget https://downloads-openshift-console.apps.lab.apilab.us/amd64/linux/oc.tar -O /tmp/oc.tar &&     tar -xvf /tmp/oc.tar -C /usr/bin/ &&     rm /tmp/oc.tar && chmod +x /usr/bin/oc
 
 # Setup SSH directory & Config for OpenShift (Random UID support)
 RUN mkdir -p /var/run/sshd &&     chmod 775 /var/run/sshd
 
 # Custom sshd_config for non-root usage
-# POINTS TO PERSISTENT VOLUME (/data/ssh) for host keys
-# StrictModes no: Allow looser permissions if absolutely necessary (e.g. random UID with group access)
-# But ideally we fix permissions on boot.
-RUN echo "Port 2222\nPermitRootLogin no\nPasswordAuthentication no\nPubkeyAuthentication yes\nPidFile /var/run/sshd/sshd.pid\nHostKey /data/ssh/ssh_host_rsa_key\nHostKey /data/ssh/ssh_host_ecdsa_key\nHostKey /data/ssh/ssh_host_ed25519_key\nAuthorizedKeysFile .ssh/authorized_keys\nChallengeResponseAuthentication no\nUsePAM yes\nSubsystem sftp /usr/lib/openssh/sftp-server" > /etc/ssh/sshd_config
+# StrictModes no: Required for non-root / random UID environments
+# PidFile: Point to /tmp for guaranteed write access
+RUN echo "Port 2222\nPermitRootLogin no\nPasswordAuthentication no\nPubkeyAuthentication yes\nStrictModes no\nPidFile /tmp/sshd.pid\nHostKey /data/ssh/ssh_host_rsa_key\nHostKey /data/ssh/ssh_host_ecdsa_key\nHostKey /data/ssh/ssh_host_ed25519_key\nAuthorizedKeysFile .ssh/authorized_keys\nChallengeResponseAuthentication no\nUsePAM yes\nSubsystem sftp /usr/lib/openssh/sftp-server" > /etc/ssh/sshd_config
 
-# Create a user 'claw' with sudo access
-RUN useradd -m -s /bin/bash claw &&     echo "claw ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers &&     chmod -R g+rwX /home/claw
+# Create a user 'claw' (UID 1000) with sudo access
+RUN useradd -m -s /bin/bash -u 1000 claw &&     echo "claw ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers &&     chmod -R g+rwX /home/claw
 
 # Prepare volume mount point
 # Mount persistent storage here
@@ -32,6 +32,9 @@ WORKDIR /data
 # Expose SSH port (non-privileged)
 EXPOSE 2222
 
+# Switch to user 'claw' (UID 1000)
+USER claw
+
 # Start SSH daemon
-# Fix: Enforce chmod 600 on keys before starting sshd
+# Fix: StrictModes no handles permissions, but chmod 600 helps sanity.
 CMD ["/bin/bash", "-c", "mkdir -p /data/ssh && if [ ! -f /data/ssh/ssh_host_rsa_key ]; then     echo 'Generating persistent host keys...';     ssh-keygen -f /data/ssh/ssh_host_rsa_key -N '' -t rsa;     ssh-keygen -f /data/ssh/ssh_host_ecdsa_key -N '' -t ecdsa;     ssh-keygen -f /data/ssh/ssh_host_ed25519_key -N '' -t ed25519; fi && chmod 600 /data/ssh/ssh_host_*_key && /usr/sbin/sshd -D -f /etc/ssh/sshd_config"]

manifests/deployment.yaml

@@ -17,10 +17,46 @@ spec:
       labels:
         app: clawdbox
     spec:
+      serviceAccountName: clawd-sa
+      initContainers:
+        - name: setup-ssh
+          image: docker.io/alpine:latest
+          command:
+            - sh
+            - -c
+            - |
+              # 1. Fix data volume permissions
+              chown -R 1000:0 /data && chmod -R 775 /data
+
+              # 2. Setup writable SSH tirectory from Secret
+              cp /mnt/keys/authorized_keys /working-ssh/
+              chown 1000:0 /working-ssh/authorized_keys
+              chmod 600 /working-ssh/authorized_keys
+          volumeMounts:
+            - name: data-volume
+              mountPath: /data
+            - name: ssh-keys-secret
+              mountPath: /mnt/keys
+            - name: ssh-working
+              mountPath: /working-ssh
       containers:
         - name: clawdbox
           image: default-route-openshift-image-registry.apps.lab.apilab.us/clawdbox/clawdbox:latest
           imagePullPolicy: Always
+          command:
+            - /bin/bash
+            - "-c"
+            - |
+              mkdir -p /data/ssh
+              if [ ! -f /data/ssh/ssh_host_rsa_key ]; then
+                echo 'Generating persistent host keys...'
+                ssh-keygen -f /data/ssh/ssh_host_rsa_key -N '' -t rsa
+                ssh-keygen -f /data/ssh/ssh_host_ecdsa_key -N '' -t ecdsa
+                ssh-keygen -f /data/ssh/ssh_host_ed25519_key -N '' -t ed25519
+              fi
+              chmod 600 /data/ssh/ssh_host_*_key
+              # Run sshd with PAM disabled and logging to stderr
+              /usr/sbin/sshd -D -e -f /etc/ssh/sshd_config -o UsePAM=no
           ports:
             - containerPort: 2222
               name: ssh
@@ -28,26 +64,32 @@ spec:
             - mountPath: /data
               name: data-volume
             - mountPath: /home/claw/.ssh
-              name: ssh-keys
+              name: ssh-working
+            - mountPath: /home/claw/.kube
+              name: kubeconfig-secret
           resources:
             limits:
-              memory: "2Gi"
+              memory: "1Gi"
               cpu: "1000m"
             requests:
-              memory: "512Mi"
+              memory: "128Mi"
               cpu: "250m"
           securityContext:
-            allowPrivilegeEscalation: false
+            runAsUser: 1000
+            runAsGroup: 1000
+            fsGroup: 1000
+            allowPrivilegeEscalation: true
             capabilities:
-              drop: ["ALL"]
-            runAsNonRoot: true
-            seccompProfile:
-              type: RuntimeDefault
+              add: ["CAP_AUDIT_WRITE"]
       volumes:
         - name: data-volume
           persistentVolumeClaim:
             claimName: clawdbox-pvc
-        - name: ssh-keys
+        - name: ssh-keys-secret
           secret:
             secretName: clawdbox-ssh-keys
-            defaultMode: 0600
+        - name: kubeconfig-secret
+          secret:
+            secretName: kube
+        - name: ssh-working
+          emptyDir: {}