The current process runs under root and the primary reason is a need to access /var/run/docker.sock to allow containers discovery. Technically it can be done with any user added to the docker group, however, I'm not really sure if such users are any better from the security point of view.

In case if reproxy runs inside a container but doesn't use docker provider, running the reproxy process without root privilege makes perfect sense. I'm not sure yet how to make a universal image to address both cases unless we add an additional entrypoint checking provider and run reproxy under root or non-root. Not sure how this can be done as we don't have anything in the image (scratch). Maybe the process itself should drop privileges somehow after the start?

Another idea is to isolate docker event listener to a separate privileged process and make reproxy communicate with this process. Sort of "provider plugin" idea I guess

Open for better ideas, feel free to propose.