Nginx image: unable to run as non root in kubernetes

[diconico07]

I'm unable to run the nginx image with it's default configuration within a pod with the following securityContext:

  allowPrivilegeEscalation: false
  capabilities:
    drop:
    - ALL
  seccompProfile:
    type: RuntimeDefault
  runAsNonRoot: true

Running as root with CAP_DAC_OVERRIDE, CAP_SETUID and CAP_SETGID works.

Without those logs are complaining about:

nginx: [alert] could not open error log file: open() "/var/log/nginx/error.log" failed (13: Permission denied)
2025/09/17 07:13:30 [emerg] 1#1: mkdir() "/var/lib/nginx/tmp/" failed (13: Permission denied)

Looking into the image, it looks like /var/log/nginx and /var/lib/nginx directories are not existing.

[alexandrevicenzi]

The Nginx container and the default configuration are not configured to run as a non-root user.

Running containers as non-root is being addressed by #2801.

[diconico07]

Re-looked properly in the image, /var/log/nginx and /var/lib/nginx are here with proper permissions.

Forcing the correct user/group using pod Security context lead to it failing on creating /run/nginx.pid as the user doesn't have the necessary permissions to do so.

securityContext:
    fsGroup: 486
    runAsUser: 499

As a workaround I was able to get it running by using an emptyDir volume in place of /run.
So changing the permissions so that the nginx user can write to /run is likely enough to get it to run this way.