What happened:
An image whose WORKDIR is set to a directory with permissions only for one user, run in a Pod with securityContext.runAsUser set to a different UID. Kind runs the pod just fine, but Kubernetes fails with an error like failed to create containerd task: OCI runtime create failed: container_linux.go:346: starting container process caused \"chdir to cwd (\\\"/home/nonroot\\\") set in config.json failed: permission denied\": unknown

Kind only fails in the same way as "normal" Kubernetes if the securityContext is also configured to drop all capabilities.

What you expected to happen:
Kind should fail to run the container in the same way as Kubernetes.

How to reproduce it (as minimally and precisely as possible):
See https://github.com/michaelbannister/distroless-permissions-test for a worked example.

Anything else we need to know?:
This came up while working on this Istio PR: istio/istio#20854

Environment:

• kind version: kind v0.7.0 go1.13 darwin/amd64
• Kubernetes version: v1.15.5 (Docker for Desktop on macOS)
• Docker version: 19.03.5
• OS: macOS 10.15.3

However this also occurs on the testing infrastructure for the Istio project. I don't know the details for that other than that it uses Kind.