Kubernetes "container has runAsNonRoot and image will run as root" in CI
The pod’s securityContext.runAsNonRoot: true tells the kubelet to refuse to start the container as root, but the image’s default user is root (UID 0) and no runAsUser overrides it - so the kubelet blocks startup.
What this error means
A pod sits at CreateContainerConfigError and never starts. kubectl describe pod shows Error: container has runAsNonRoot and image will run as root. It is deterministic - the image user and the policy genuinely disagree.
Warning Failed 6s (x4 over 40s) kubelet Error: container has runAsNonRoot
and image will run as root (pod: "api-...", container: api)Common causes
Image runs as root, policy forbids it
The Dockerfile has no USER directive (or sets root), so the image defaults to UID 0. With runAsNonRoot: true the kubelet refuses to start it.
No numeric runAsUser supplied
A USER appuser by name (not a numeric UID) cannot be verified as non-root at admission, so the kubelet still treats it as potentially root unless a numeric runAsUser is set.
How to fix it
Run the container as a non-root UID
Set a numeric, non-zero runAsUser in the securityContext (and matching fsGroup if it needs to write).
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000Or build the image to run non-root
- Add a numeric
USER 1000to the Dockerfile and ensure the app’s files are owned/readable by it. - Confirm the process does not need to bind a privileged port (<1024) as non-root.
- Rebuild and redeploy; the kubelet now starts it without the override.
# Dockerfile
RUN adduser -u 1000 -D appuser
USER 1000How to prevent it
- Build images with a numeric non-root
USERso they satisfy restricted Pod Security. - Set
runAsNonRoot: trueand a numericrunAsUserconsistently in manifests. - Validate images against the namespace Pod Security Standard in CI.