Containers rely on the traditional Unix security model granting explicit and implicit permissions to resources, through permissions granted to users and groups. User namespaces are not enabled in Kubernetes. The container's user ID table maps to the host's user table, and running a process as the root user inside a container runs it as root on the host. Although possible, we do not recommend running as root inside the container.
Containers that run as root usually have far more permissions than their workload requires. In case of compromise, an attacker can use these permissions to further an attack on the network. Several container images use the root user to run PID 1. An attacker will have root permissions in the container and be able to exploit mis-configurations.
- Resource: Pod / Deployment / DaemonSet / StatefulSet / ReplicaSet / ReplicationController / Job / CronJob
runAsNonRoot (Optional) If true, Requires the container to run without root privileges. Default to false.
runAsUser (Optional) If user number is anything other than 0, requires the container to run with that user id, which is not root.
apiVersion: v1 kind: Pod metadata: name: <name> spec: securityContext: + runAsNonRoot: true + runAsUser: <specific user>
apiVersion: batch/v1beta1 kind: CronJob metadata: name: <name> spec: schedule: <> jobTemplate: spec: template: spec: securityContext: + runAsNonRoot: true + runAsUser: <specific user>
apiVersion: <> kind: <kind> metadata: name: <name> spec: template: spec: securityContext: + runAsNonRoot: true + runAsUser: <specific user>
Updated 5 months ago