using a named user fails runAsNonRoot kubernetes security check #7542
Description
What happened:
I'm running a kubernetes cluster which insists on using secure policies so setting runAsNonRoot is a requirement. This then fails to start the container because it cannot verify that the named user nonroot is not infact tied to the root id 0 and thus failsaves and says it cannot start the container.
Normal Pulled 4s (x4 over 28s) kubelet Container image "coredns/coredns:1.12.4" already present on machine
Warning Failed 4s (x4 over 28s) kubelet Error: container has runAsNonRoot and image has non-numeric user (nonroot), cannot verify user is non-root (pod: "coredns-custom-8544b6944-7tbws_dns(efb70763-e794-4a26-9691-9c86b9c31279)", container: coredns)
What you expected to happen:
I'd expect the container to start succesfully.
How to reproduce it (as minimally and precisely as possible):
cat > test-coredns.yaml <<EOF
---
apiVersion: v1
kind: Namespace
metadata:
labels:
kubernetes.io/metadata.name: test-dns
name: test-dns
---
apiVersion: v1
kind: ConfigMap
metadata:
name: coredns-test
namespace: test-dns
data:
Corefile: |
.:5353 {
debug
log
health
ready
forward . 1.1.1.1 8.8.8.8
cache 30
reload
}
example.com:5353 {
log
errors
file /etc/coredns/zones/example.com.db
}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: coredns-zones
namespace: test-dns
data:
example.com.db: |
\$ORIGIN example.com.
@ IN SOA ns.example.com. admin.example.com. 2025091300 7200 3600 1209600 3600
@ IN NS ns.example.com.
ns IN A 192.168.1.1
# Example hosts
test IN A 192.168.1.19
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: coredns-test
namespace: test-dns
spec:
replicas: 1
selector:
matchLabels:
k8s-app: coredns-test
template:
metadata:
labels:
k8s-app: coredns-test
spec:
containers:
- name: coredns
image: coredns/coredns:1.12.4
args: ["-conf", "/etc/coredns/Corefile"]
ports:
- containerPort: 5353
protocol: UDP
name: dns-udp
- containerPort: 5353
protocol: TCP
name: dns-tcp
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
capabilities:
drop: ["ALL"]
volumeMounts:
- name: config-volume
mountPath: /etc/coredns
- name: zones-volume
mountPath: /etc/coredns/zones
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
volumes:
- name: config-volume
configMap:
name: coredns-test
items:
- key: Corefile
path: Corefile
- name: zones-volume
configMap:
name: coredns-zones
EOF
kubectl apply -f test-coredns.yaml
Anything else we need to know?:
Looks like someone already put in a fix but tied it to an issue which was already marked fixed:
Environment:
- the version of CoreDNS:
1.12.4 - Corefile:
n/a the container doesn't start - logs, if applicable:
Normal Pulled 4s (x4 over 28s) kubelet Container image "coredns/coredns:1.12.4" already present on machine
Warning Failed 4s (x4 over 28s) kubelet Error: container has runAsNonRoot and image has non-numeric user (nonroot), cannot verify user is non-root (pod: "coredns-custom-8544b6944-7tbws_dns(efb70763-e794-4a26-9691-9c86b9c31279)", container: coredns)
- OS (e.g:
cat /etc/os-release):
Talos v1.10.7
Kubernetes v1.33.4 - Others: