| Announcement date | Planned Change date |
| 2025-10-20 | 2025-10-27 |
This communication includes the following topics:
What is changing?
The kubernetes-pause image is aligning the run user with upstream as non-root (UID 65535) [1].
Why is Chainguard making this change?
The change aims to provide full compatibility with upstream, since k8s.registry.io/pause official Kubernetes pause image is configured to run as non-root since version 3.5. At the time of writing, upstream published 6 releases since then, while the Chainguard image was still configured to be run as root user, providing incompatibility with upstream.
How will this affect me?
Normally, the pause container doesn’t require running as root to reap child processes and forwarding signals to them, being PID 1. Privileged operations are executed by the kubelet and the container runtime.
Furthermore, nothing should be executed by the pause containers.
The change improves the security posture and aligns to upstream, now providing full compatibility.
If your usage of the image relies on the capabilities and permissions on the filesystem determined by the root user, who runs the pause container by default when using the Chainguard image, you’re impacted by the change. If you are not using the pause container beyond its official usage, you’re not affected by this change.
What do I need to do?
If you’re impacted by this change, adjustments in the container’s securityContext [2] must be made according to the permissions leveraged until now through the root user.
- https://github.com/kubernetes/kubernetes/issues/95038
- https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
FAQs
Q: Is this a breaking change?
A: Only if you’re using the pause container inappropriately.
Need help or have questions?
We're here to help - visit our support portal at support.chainguard.dev.
- Chainguard Team
Comments
0 comments
Article is closed for comments.