A pod is failing to start. The 'kubectl describe pod' output shows: 'container has runAsNonRoot and image will run as root'. The Dockerfile of the container image does not specify a USER directive. Which action will fix the issue?
Setting runAsUser to a non-zero UID ensures the container runs as a non-root user, satisfying the runAsNonRoot constraint.
Why this answer
Option D is correct because the error 'container has runAsNonRoot and image will run as root' indicates the pod's securityContext enforces runAsNonRoot: true, but the container image runs as root (default user). Adding runAsUser: 1000 explicitly sets the container's user to a non-root UID, satisfying the runAsNonRoot constraint and allowing the pod to start.
Exam trap
CNCF often tests the misconception that runAsGroup or capabilities can override the user identity, but only runAsUser (or a USER directive in the Dockerfile) changes the effective UID to satisfy runAsNonRoot.
How to eliminate wrong answers
Option A is wrong because setting runAsGroup: 1000 only changes the group ID, not the user ID; the container still runs as root (UID 0), which violates runAsNonRoot. Option B is wrong because adding CAP_SYS_ADMIN grants elevated Linux capabilities but does not change the user the container runs as; the container remains root, so runAsNonRoot still fails. Option C is wrong because removing runAsNonRoot: true would bypass the security check, but this is a security downgrade and not the intended fix; the question implies the constraint should be satisfied, not removed.