By default, Docker containers run as `root`. If an attacker compromises the app, they have root access to the container (and potentially the host). Running as a non-root user is a critical security best practice, mandated by policies like Azure Policy for Kubernetes.
The Dockerfile Fix
FROM mcr.microsoft.com/dotnet/aspnet:6.0 AS base
WORKDIR /app
# Create a user with a specific ID
RUN adduser -u 5678 --disabled-password --gecos "" appuser
# Chown the app directory
RUN chown -R appuser /app
# Switch user
USER appuser
EXPOSE 8080
ENTRYPOINT ["dotnet", "MyApp.dll"]Key Takeaways
- You cannot bind to ports < 1024 as non-root (use 8080, not 80).
- Test this locally; file permission issues often crop up.
Discover more from C4: Container, Code, Cloud & Context
Subscribe to get the latest posts sent to your email.