How can I write to a directory owned by ROOT when not running as ROOT for a Tomcat Docker Image that I don’t want to edit?

I have a docker image that I am trying to run using K8s. I can get it to run on my home environment but not at my workplace as we cannot run as root on the k8 cluster.

The docker image is a Tomcat server with a WAR file that lives here:

/usr/local/tomcat/webapps/ROOT.war

During start-up Tomcat tries to explode the WAR into a directory here:

/usr/local/tomcat/webapps/ROOT

But it can’t do this because /usr/local/tomcat/webapps/ is owned by ROOT.

So I thought the best way to solve was to mount a volume with an emptyDir{} like so:

apiVersion: v1
kind: Pod
metadata:
  name: test-pd
spec:
  containers: 
    ...
    name: test-container
    volumeMounts:
    - mountPath: //usr/local/tomcat/webapps/ROOT
      name: tomcat
  volumes:
  - name: tomcat
    emptyDir: {}

But this doesn’t work because it just makes an empty ROOT folder under webapps which Tomcat can’t explode the WAR to because it expects to create ROOT it self.

I also tried this:

    volumeMounts:
    - mountPath: //usr/local/tomcat/webapps
      name: tomcat

But now /webapps is just an empty folder because I assume I’m overwriting what the container is setting up for me when it starts up.

I’m obviously missing something fundemental here…I don’t want to edit the image as I believe there must be another way around this I simply want /tomcat/webapps to be writable by the runAsUser which isn’t root.

What is the best way to do this?

Source: Docker Questions