runAsNonRoot possible ?

[Ulrar]

Spegel version

0.0.27

Kubernetes distribution

Talos 1.8.3

Kubernetes version

1.31.1

CNI

flannel, I think ? Whatever the default in Talos is

Describe the bug

Spegel won't start with runAsNonRoot, with the configuration container logging this :

{"time":"2024-12-08T12:53:50.440469719Z","level":"ERROR","source":{"function":"main.main","file":"/build/main.go","line":86},"msg":"run exit with error","err":"stat /etc/cri/conf.d/hosts/_backup: permission denied"}

The directory is empty :

❯ talosctl --talosconfig talosconfig -n mynode list /etc/cri/conf.d/hosts/
NODE            NAME
talos-fdm-9ig   .
❯

Explicitly setting runAsNonRoot: false does let it start, and as far as I can tell it works. My question is can I do anything to make it run as non root, is there some specific runAsUser or fsGroup that would make it work, or is root required on Talos ?
If it's required, I'd suggest making a note of that in the compatibility notes as it seems the default does not work.

Thanks

[phillebaba]

Running as non root is not possible at the moment because the UID is required to communicate with the Containerd socket. This is not specific to Talos but for all Kubernetes flavors.