From 03f771aaf11f5da3d2c0bc7966dc17be8418c911 Mon Sep 17 00:00:00 2001
From: Sam McGeown <sam.mcgeown@hashicorp.com>
Date: Fri, 15 May 2026 14:28:49 +0100
Subject: [PATCH] runAsNonRoot:false

---
 CHANGELOG.md | 3 +++
 Dockerfile   | 4 ++++
 2 files changed, 7 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index c1112d7..8111ad1 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,6 @@
+
+* Run as a non-root user for Kubernetes compatibility.
+
 ## 0.2.1
 
 FEATURES
diff --git a/Dockerfile b/Dockerfile
index 2da43c7..9243d7a 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -39,6 +39,8 @@ WORKDIR /server
 # Copy the binary from the build stage
 COPY --from=devbuild /build/vault-mcp-server .
 COPY --from=certbuild /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
+# Run as a non-root user for Kubernetes compatibility.
+USER 65532:65532
 # Command to run the server
 CMD ["./vault-mcp-server", "stdio"]
 
@@ -63,6 +65,8 @@ LABEL version=$PRODUCT_VERSION
 LABEL revision=$PRODUCT_REVISION
 COPY dist/$TARGETOS/$TARGETARCH/$BIN_NAME /bin/vault-mcp-server
 COPY --from=certbuild /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
+# Run as a non-root user for Kubernetes compatibility.
+USER 65532:65532
 CMD ["/bin/vault-mcp-server", "stdio"]
 
 # ===================================