Security · Flashcard

What is the difference between a non-root container and a rootless container engine?

  • AThe app runs as a non-zero UID inside the container, versus the whole runtime running unprivileged
  • BThe container drops all Linux capabilities, versus the engine running as a privileged DaemonSet
  • CThe container uses a read-only root filesystem, versus the engine encrypting every image layer
  • DThe container runs with no ServiceAccount token, versus the engine bypassing the API server

Why this is the answer

A non-root container runs its app as a non-zero UID inside the container; a rootless engine runs the whole runtime unprivileged on the host (root inside is remapped to an unprivileged host user). Dropping capabilities, a read-only rootfs, and removing the SA token are real hardening measures but not this distinction.

Official docs
Study in Gnoseed →