diff --git a/pkg/kubelet/rkt/rkt.go b/pkg/kubelet/rkt/rkt.go
index fa9f6004722..0c3de458307 100644
--- a/pkg/kubelet/rkt/rkt.go
+++ b/pkg/kubelet/rkt/rkt.go
@@ -434,6 +434,17 @@ func setApp(app *appctypes.App, c *api.Container, opts *kubecontainer.RunContain
 	}
 	setSupplementaryGIDs(app, podCtx)
 
+	// If 'User' or 'Group' are still empty at this point,
+	// then apply the root UID and GID.
+	// TODO(yifan): Instead of using root GID, we should use
+	// the GID which the user is in.
+	if app.User == "" {
+		app.User = "0"
+	}
+	if app.Group == "" {
+		app.Group = "0"
+	}
+
 	// Set working directory.
 	if len(c.WorkingDir) > 0 {
 		app.WorkingDirectory = c.WorkingDir
diff --git a/pkg/kubelet/rkt/rkt_test.go b/pkg/kubelet/rkt/rkt_test.go
index d6771d055f6..f0ee5431c29 100644
--- a/pkg/kubelet/rkt/rkt_test.go
+++ b/pkg/kubelet/rkt/rkt_test.go
@@ -718,8 +718,6 @@ func generateMemoryIsolator(t *testing.T, request, limit string) appctypes.Isola
 func baseApp(t *testing.T) *appctypes.App {
 	return &appctypes.App{
 		Exec:              appctypes.Exec{"/bin/foo"},
-		User:              "0",
-		Group:             "22",
 		SupplementaryGIDs: []int{4, 5, 6},
 		WorkingDirectory:  "/foo",
 		Environment: []appctypes.EnvironmentVariable{
@@ -740,6 +738,12 @@ func baseApp(t *testing.T) *appctypes.App {
 	}
 }
 
+func baseAppWithRootUserGroup(t *testing.T) *appctypes.App {
+	app := baseApp(t)
+	app.User, app.Group = "0", "0"
+	return app
+}
+
 type envByName []appctypes.EnvironmentVariable
 
 func (s envByName) Len() int           { return len(s) }
@@ -791,13 +795,13 @@ func TestSetApp(t *testing.T) {
 		expect    *appctypes.App
 		err       error
 	}{
-		// Nothing should change.
+		// Nothing should change, but the "User" and "Group" should be filled.
 		{
 			container: &api.Container{},
 			opts:      &kubecontainer.RunContainerOptions{},
 			ctx:       nil,
 			podCtx:    nil,
-			expect:    baseApp(t),
+			expect:    baseAppWithRootUserGroup(t),
 			err:       nil,
 		},
 
@@ -851,7 +855,7 @@ func TestSetApp(t *testing.T) {
 			expect: &appctypes.App{
 				Exec:              appctypes.Exec{"/bin/bar", "hello", "world"},
 				User:              "42",
-				Group:             "22",
+				Group:             "0",
 				SupplementaryGIDs: []int{1, 2, 3},
 				WorkingDirectory:  tmpDir,
 				Environment: []appctypes.EnvironmentVariable{
@@ -914,7 +918,7 @@ func TestSetApp(t *testing.T) {
 			expect: &appctypes.App{
 				Exec:              appctypes.Exec{"/bin/bar", "foo", "hello", "world", "bar"},
 				User:              "42",
-				Group:             "22",
+				Group:             "0",
 				SupplementaryGIDs: []int{1, 2, 3},
 				WorkingDirectory:  tmpDir,
 				Environment: []appctypes.EnvironmentVariable{