Interview › Security & DevSecOps
Why should containers not run as root, and what does running rootless achieve? [Advanced]
Answer
Containers should not run as root because a container breakout, writable host mount, or runtime bug can give an attacker more leverage. Running rootless or as a non-root UID reduces privilege inside the container and reduces blast radius if the application is compromised.
Technical explanation
Root inside a container is not the same as root on the host, but it is still more dangerous than a non-root process.
Rootless containers reduce reliance on privileged daemon behavior and host-level root permissions.
Non-root images require correct file ownership, writable paths for temporary data, and compatible application behavior.
Hands-on example
Dockerfile pattern:
RUN addgroup -g 10001 app && adduser -D -u 10001 -G app app
RUN chown -R app:app /app
USER 10001
In Kubernetes, enforce runAsNonRoot and reject images that require root in restricted namespaces.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Security & DevSecOps interview questions
- What is DevSecOps, and how does it differ from traditional security gating at the end? [Basic]
- What does shift-left security mean, and why does it matter? [Basic]
- What is the difference between SAST, DAST, IAST, and SCA? [Basic]
- When in the pipeline does each of SAST, DAST, and SCA run? [Basic]
- What is the difference between SAST and DAST, and what does each catch and miss? [Basic]
- What is software composition analysis (SCA), and why does it matter for dependencies? [Basic]
- What is SonarQube, and what does it analyse? [Basic]
- Is SonarQube primarily SAST, code quality, or both? [Basic]