Context

Our Helm chart for Kubernetes deployment (PR #3852) sets security contexts with runAsNonRoot: true, allowPrivilegeEscalation: false, and capabilities.drop: [ALL]. These are Kubernetes security best practices.

However, our Docker images currently run as root by default (Config.User is empty). This causes CreateContainerConfigError when runAsNonRoot: true is set.

As a workaround, the chart defaults to runAsNonRoot: false. This works but is not ideal for production environments.

What needs to change

1. Add a non-root user to Dockerfiles for agenta-api, agenta-web, and agenta-services:

   RUN addgroup --system --gid 10001 agenta && \
       adduser --system --uid 10001 --ingroup agenta agenta
   USER 10001

2. Ensure writable directories are owned by the new user (/tmp, any cache/log dirs).

3. Change agenta-services container port from 80 to a high port like 8080. Non-root users cannot bind to ports below 1024. The Kubernetes Service can still expose port 80 via targetPort: 8080.

4. Add a CI check that fails if published images run as root.

5. Update the Helm chart to set runAsNonRoot: true once images support it.

Why this matters

Running containers as root is a security risk. If an attacker gains code execution inside the container, they have root access to the container filesystem and can potentially escape to the host. The Kubernetes "restricted" Pod Security Standard requires non-root containers.