To ensure images are not running as root in kubernetes clusters we need the images to have numeric UIDs rather then user names set in the "USER" instructions (via Dockerfile).
We need to check and potentially rebuild all production-images that are running in our cluster (snapshot as of 2021-02-09):
[ ] kube-policy-controller:latest
[ ] envoy:1.15.1-2
[ ] eventrouter:0.3.0-4
[ ] prometheus-statsd-exporter:0.0.5
[ ] prometheus-statsd-exporter:0.0.7
[ ] tiller:2.16.7-wmf1
[ ] coredns:1.5.2-1
[ ] envoy-future:1.15.1
[ ] envoy-future:1.16.0
[ ] envoy:1.15.1-2
[ ] fluent-bit:1.5.3-0
[ ] nutcracker:latest
[ ] prometheus-statsd-exporter:0.0.5
[ ] prometheus-statsd-exporter:0.0.7
[ ] ratelimit:1.5.1
[ ] tiller:2.16.7-wmf1
What kubernetes basically does for validation is:
```
docker inspect $IMAGE_ID | jq '.[].Config.User' | cut -d ':' -f1 | read $u; if ! [[ "$u" =~ ^[0-9]+$ ]]; then echo "Nono"; fi
```