Interview Kubernetes, Docker, Helm & Podman

Why should containers run as a non-root user, and how do you enforce it?

Kubernetes, Docker, Helm & Podman · Advanced level

Answer

Containers should run as non-root so a process compromise has less privilege inside the container and less chance of dangerous host interaction. I enforce it in the Dockerfile and in Kubernetes securityContext or admission policy.

Technical explanation

Non-root must be compatible with file ownership, writable directories, and low-port binding constraints.

In Kubernetes, enforce runAsNonRoot, runAsUser, allowPrivilegeEscalation false, and capability drops.

Container image quality affects supply chain, startup time, vulnerability surface, rollout reliability, and debugging workflows.

Prefer reproducible builds: pinned dependencies, small build context, deterministic Dockerfile order, non-root runtime, and immutable image references.

Understand the runtime boundary: an image is not a VM, and container isolation depends on kernel, namespaces, cgroups, capabilities, seccomp, and mounts.

Hands-on example

1. Create a tiny sample app and Dockerfile for this exercise: run a container as non-root and enforce Kubernetes runAsNonRoot.

2. Build and inspect it with docker build or podman build, docker history, image inspect, and a vulnerability or size scan if available.

3. Run it locally with explicit env vars, ports, user, volumes, and signal tests depending on the question.

4. Convert the final runtime assumptions into Kubernetes fields such as image, command, args, ports, securityContext, probes, and volumeMounts.

Preparing for an interview?

Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.

More Kubernetes, Docker, Helm & Podman interview questions

← All Kubernetes, Docker, Helm & Podman questions