doc: add non-root notes

Dockerfile

@@ -6,7 +6,7 @@ ARG VERSION=v1.13.5
 RUN git clone --quiet --branch ${VERSION} --depth 1 https://github.com/ethereum/go-ethereum .
 RUN --mount=type=cache,target=/go/pkg/mod --mount=type=cache,target=/root/.cache/go-build go run build/ci.go install -static ./cmd/geth
 
-FROM --platform=${BUILDPLATFORM} gcr.io/distroless/base-debian12:latest as DIST
+FROM --platform=${BUILDPLATFORM} gcr.io/distroless/base-debian12:latest
 COPY --from=BUILDER /geth/build/bin/geth /usr/local/bin/
 EXPOSE 8545 8546 8551 30303 30303/udp
 USER 65532

README.md

@@ -1,12 +1,18 @@
 # Geth Docker
 
+- security by default, No root, No shell
+- minimal and static binary
+- multi-arch
+
 ## Use the docker image
 
 ```
-docker pull ghcr.io/islishude/geth:latest --help
-docker pull ghcr.io/islishude/geth:1.13.5 --help
+docker pull ghcr.io/islishude/geth:latest
+docker pull ghcr.io/islishude/geth:1.13.5
 ```
 
+**NOTE**: the default user id of the image is **65532**
+
 ## docker-compose
 
 - [mainnet](./docker-compose/mainnet)
@@ -57,6 +63,21 @@ allowVolumeExpansion: true
 
 then update pvc.yaml file to change the storage class name to the above.
 
+the statefulsets are using official image(ethereum/client-go).
+
+if you want to use my image, then you need to add securityContext to the statefulset due to the default user is not root.
+
+```yaml
+spec:
+  template:
+    spec:
+      securityContext:
+        runAsUser: 65532
+        runAsGroup: 65532
+        fsGroup: 65532
+        fsGroupChangePolicy: OnRootMismatch
+```
+
 Start the statefulset in default namespace, you can add `-n` parameter to change it.
 
 ```