Pods should not run containers as the root user

Description

Running as a non-root user helps ensure that an attacker does not gain root privileges to the host system in the event of a container breakout.

Remediation Steps

Kubernetes Manifest (YAML)

  • Ensure that a Kubernetes.Pod configures a pod securityContext where runAsNonRoot is true or where runAsUser is set to a non-zero value. If a pod securityContext is not set, then these configurations should be set on a container securityContext

Example Configuration

apiVersion: v1
kind: Pod
metadata:
  name: sec-demo1
spec:
  containers:
  - name: sec-demo-container
    image: gcr.io/google-samples/node-hello:1.0
    securityContext:
      runAsNonRoot: true
apiVersion: v1
kind: Pod
metadata:
  name: sec-demo2
spec:
  securityContext:
    runAsUser: 1001
  containers:
  - name: sec-demo-container
    image: gcr.io/google-samples/node-hello:1.0