We’re running a number of k8s clusters running v1.24.
When we upgraded our clusters from v1.13 to v1.24, we saw several security warnings appear on “kubectl apply”. One of them is “runAsNonRoot != true”. So, I implemented a change that adds “securityContext.runAsNonRoot: true”, and also a “runAsUser: ”, where “” is the userid that should be set at the end of the Dockerfile, when the main process is run.
I did verify that if I set that property, the warning doesn’t appear anymore. However, I also had to verify that the presence of this setting is actually preventing a security problem, for instance if it actually prevented a container from running as nonroot, which I would assume is the point.
So, I simply changed the Dockerfile in one service that I’m testing this with, and I added “USER root” right before the main process is started. I expected that at some point in the deployment, k8s would fail in some way, telling me that this constraint has been violated. Nothing like that happened. It deployed the new image successfully with no complaints at all.
What am I missing?