Minimize admission of root containers

Error: Admission of root containers not minimized

Bridgecrew Policy ID: BC_K8S_22
Checkov Check ID: CKV_K8S_23
Severity: MEDIUM

Admission of root containers not minimized

Description

Containers rely on the traditional Unix security model granting explicit and implicit permissions to resources, through permissions granted to users and groups. User namespaces are not enabled in Kubernetes. The container's user ID table maps to the host's user table, and running a process as the root user inside a container runs it as root on the host. Although possible, we do not recommend running as root inside the container.

Containers that run as root usually have far more permissions than their workload requires. In case of compromise, an attacker can use these permissions to further an attack on the network. Several container images use the root user to run PID 1. An attacker will have root permissions in the container and be able to exploit mis-configurations.

Fix - Buildtime

Kubernetes

  • Resource: Pod / Deployment / DaemonSet / StatefulSet / ReplicaSet / ReplicationController / Job / CronJob
  • Arguments:
    runAsNonRoot (Optional) If true, Requires the container to run without root privileges. Default to false.
    runAsUser (Optional) If user number is anything other than 0, requires the container to run with that user id, which is not root.
apiVersion: v1
kind: Pod
metadata:
  name: <name>
spec:
    securityContext:
+   runAsNonRoot: true
+   runAsUser: <specific user>
apiVersion: batch/v1beta1
kind: CronJob
metadata:
  name: <name>
spec:
  schedule: <>
  jobTemplate:
    spec:
      template:
        spec:
            securityContext:
+            runAsNonRoot: true
+                        runAsUser: <specific user>
apiVersion: <>
kind: <kind>
metadata:
  name: <name>
spec:
  template:
    spec:
        securityContext:
+           runAsNonRoot: true
+               runAsUser: <specific user>

Did this page help you?