Require Run As Non-root User

Description

Containers must not set runAsUser to 0.

Restricted Fields

  • spec.securityContext.runAsUser
  • spec.containers[*].securityContext.runAsUser
  • spec.initContainers[*].securityContext.runAsUser
  • spec.ephemeralContainers[*].securityContext.runAsUser

Allowed Values

  • any non-zero value
  • undefined/null

Risks

Here are some risks associated with running containers as the root user:

  • Privilege Escalation: Running containers as root increases the risk of privilege escalation. An attacker may be able to take over the host system or other containers by exploiting vulnerabilities if they manage to get access to a container that is running as root. Running containers as non-root users reduces this risk and lessens the possible impact of a security breach.

  • Unintended Host Modifications: Root-level containers have the ability to change system-level configurations, which may impact the host system’s stability and security.

Kyverno Policy

Refer to the Nirmata curated policies - require-run-as-non-root-user.yaml

References

Configuration Settings

Running as root is not allowed. The fields spec.securityContext.runAsUser, spec.containers[*].securityContext.runAsUser, spec.initContainers[*].securityContext.runAsUser, and spec.ephemeralContainers[*].securityContext.runAsUser must be unset or set to a number greater than zero.

=(securityContext):
  =(runAsUser): ">0"
=(ephemeralContainers):
- =(securityContext):
    =(runAsUser): ">0"
=(initContainers):
- =(securityContext):
    =(runAsUser): ">0"
containers:
- =(securityContext):
    =(runAsUser): ">0"

Resource Example

Below is a Deployment resource example where securityContext.runAsUser is set to any number other than 0.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: gooddeployment
spec:
  replicas: 1
  selector:
    matchLabels:
      app: app
  template:
    metadata:
      labels:
        app: app
    spec:
      containers:
      - name: container01
        image: dummyimagename
        securityContext:
          runAsUser: 1
      - name: container02
        image: dummyimagename
        securityContext:
          runAsUser: 2
      securityContext:
        runAsUser: 10