DevOps · Flashcard

What does the runAsNonRoot field in a security context do?

  • AIt validates at Pod startup that the container will not run as UID 0 — if the image user is root, the container fails to start
  • BIt automatically switches the container process to UID 1000 at startup — overriding whatever user the image specifies
  • CIt removes root capabilities from the container process after startup — the process starts as root then drops to non-root
  • DIt enables a user namespace so the container appears as root inside but maps to non-root on the host system

Why this is the answer

runAsNonRoot is a validation check, not a user switch. It doesn't change which user the container runs as — it only rejects containers that would run as root. To actually change the user, you need runAsUser. The most common mistake is thinking runAsNonRoot forces a non-root UID automatically.

Official docs
Study in Gnoseed →