Proper way to run Unit in Kubernetes with runAsNonRoot: true

[kv4]

Description:
I'm trying to deploy NGINX Unit in Kubernetes with Pod security context runAsNonRoot: true (non-root container), but encountering permission issues with the control socket. Here's what I've tried:

1. Created a custom user (UID 1000) in Dockerfile:

RUN groupadd -g 1000 unitgroup && \
    useradd -u 1000 -g unitgroup unituser
USER unituser

2. Configured Unit to use custom socket path:

args: [
  "--no-daemon",
  "--control", "unix:/tmp/unit/control.sock",
  "--user", "unituser",
  "--group", "unitgroup"
]

3. Kubernetes Pod security context:

securityContext:
  runAsNonRoot: true
  runAsUser: 1000
  runAsGroup: 1000

The problem:
Unit fails to create the control socket with permission errors, even though /tmp/unit exists and has correct permissions. The logs show:

[warn] Unit is running unprivileged, then it cannot use arbitrary user and group
[alert] bind(...) failed (13: Permission denied)

Questions:

1. What is the recommended way to configure Unit for non-root Kubernetes deployments?
2. Should the control socket path be mounted as a volume?
3. Are there any working examples of Unit deployments with runAsNonRoot: true?

Additional context:

• Using official Unit image unit:1.34.2-php8.4
• Need this for compliance with Kubernetes Pod Security Standards

Thank you in advance!

[ac000]

Running Unit as non-root in Kubernetes is the same as running it non-root anywhere, in that you will need to make sure you have the right filesystem permissions configured.

Of course there are two prongs to this question.

When you say "non-root" do you mean simply having Unit run as a non-root user with the --user/group options? Whereby Unit will start as root then change user or do you mean starting the daemon itself as non-root which will impose some other restrictions...