Assessing the security of Docker in Kubernetes (+Rancher)
...run as root. Is this necessary?
If some of them do, you can assume there should be quite a good reason for that. I believe that creators of kubernetes are quite familiar with the concept of least privilege principle. So I would say: yes, most probably it is necessary to be able to perform required operations on the node system. However it can be discussed as for example here.
Does e.g. kubeadm really need root privileges ? Well... to be able to perform all the required operations, yes. Compare with this answer.
However ideas about running the whole kubernetes cluster as non-root user also arise. I found an interesting presentation discussing this concept.
You touched really broad topic in your question and it is impossible to provide a single proper answer. I would say it's rather material for an extensive blog article or even e book (compare with this one).
Furthermore, some Kubernetes containers, such as
k8s_trident-main_trident,kube-proxyandkubeletran in privileged mode. I guess this is necessary for Kubernetes to work properly.
If you want your containers to be able to perform also certain operations on host system, privileged mode cannot be avoided.
You may also want to familiarize with the following articles in official kubernetes documentation:
https://kubernetes.io/docs/concepts/security/overview/
https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster/
I hope it helps.