Require Run As Non-root

Description

Containers must be required to run as non-root users.

Restricted Fields

  • spec.securityContext.runAsNonRoot
  • spec.containers[*].securityContext.runAsNonRoot
  • spec.initContainers[*].securityContext.runAsNonRoot
  • spec.ephemeralContainers[*].securityContext.runAsNonRoot

Allowed Values

  • true

Note: The container fields may be undefined/nil if the pod-level spec.securityContext.runAsNonRoot is set to true.

Risks

Here are some risks associated with running containers as root and why setting runAsNonRoot: true is important:

  • Privilege Escalation: Running containers as root increases the risk of privilege escalation. An attacker may be able to take over the host system or other containers by exploiting vulnerabilities if they manage to get access to a container that is running as root. Running containers as non-root users reduces this risk and lessens the possible impact of a security breach.

  • Unintended Host Modifications: Root-level containers have the ability to change system-level configurations, which may impact the host system’s stability and security.

Kyverno Policy

Refer to the Nirmata curated policies - require-run-as-nonroot.yaml

References

Configuration Settings

Running as root is not allowed. Either the field spec.securityContext.runAsNonRoot must be set to true, or the fields spec.containers[*].securityContext.runAsNonRoot, spec.initContainers[*].securityContext.runAsNonRoot, and spec.ephemeralContainers[*].securityContext.runAsNonRoot must be set to true.

securityContext:
  runAsNonRoot: "true"
=(ephemeralContainers):
- =(securityContext):
    =(runAsNonRoot): "true"
=(initContainers):
- =(securityContext):
    =(runAsNonRoot): "true"
containers:
- =(securityContext):
    =(runAsNonRoot): "true"

Resource Example

Below is a Deployment resource example where spec.securityContext.runAsNonRoot is set to true. It is therefore valid for containers field to have securityContext.runAsNonRoot undefined.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: gooddeployment
spec:
  replicas: 1
  selector:
    matchLabels:
      app: app
  template:
    metadata:
      labels:
        app: app
    spec:
      containers:
      - name: container01
        image: dummyimagename
      securityContext:
        runAsNonRoot: true

Below is a Deployment resource example where spec.securityContext.runAsNonRoot field is not present. It is therefore absolutely necessary for the containers field to have securityContext.runAsNonRoot set to true in order for this resource to be conformant with this security control.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: gooddeployment08
spec:
  replicas: 1
  selector:
    matchLabels:
      app: app
  template:
    metadata:
      labels:
        app: app
    spec:
      initContainers:
      - name: initcontainer01
        image: dummyimagename
        securityContext:
          runAsNonRoot: true
      containers:
      - name: container01
        image: dummyimagename
        securityContext:
          runAsNonRoot: true