Pods should not run containers as the root user¶
Description¶
Running as a non-root user helps ensure that an attacker does not gain root privileges to the host system in the event of a container breakout.
Remediation Steps¶
Kubernetes Manifest (YAML)¶
Ensure that a Kubernetes.Pod configures a pod
securityContext
whererunAsNonRoot
is true or whererunAsUser
is set to a non-zero value. If a podsecurityContext
is not set, then these configurations should be set on a containersecurityContext
Example Configuration¶
apiVersion: v1
kind: Pod
metadata:
name: sec-demo1
spec:
containers:
- name: sec-demo-container
image: gcr.io/google-samples/node-hello:1.0
securityContext:
runAsNonRoot: true
apiVersion: v1
kind: Pod
metadata:
name: sec-demo2
spec:
securityContext:
runAsUser: 1001
containers:
- name: sec-demo-container
image: gcr.io/google-samples/node-hello:1.0