Ensure containers run with a high UID to avoid host conflict

Error: Containers do not run with a high UID

Bridgecrew Policy ID: BC_K8S_37
Checkov Check ID: CKV_K8S_40
Severity: LOW

Containers do not run with a high UID

Description

Linux namespaces provide isolation for running processes and limits access to system resources. To prevent privilege-escalation attacks from within a container, we recommend that you configure your container’s applications to run as unprivileged users. The mapped user is assigned a range of UIDs which function within the namespace as normal UIDs from 0 to 65536, but have no privileges on the host machine itself.

If a process attempts to escalate privilege outside of the namespace, the process is running as an unprivileged high-number UID on the host, not mapped to a real user. This means the process has no privileges on the host system and cannot be attacked by this method.

This check will trigger below UID 10,000 as common linux distributions will assign UID 1000 to the first non-root, non system user and 1000 users should provide a reasonable buffer.

Fix - Buildtime

Kubernetes

  • Resource: Pod / Deployment / DaemonSet / StatefulSet / ReplicaSet / ReplicationController / Job / CronJob
  • Argument: runAsUser (Optional)
    Specifies the User ID that processes within the container and/or pod run with.
apiVersion: v1
kind: Pod
metadata:
  name: <name>
spec:
    securityContext:
+   runAsUser: <UID higher then 10000>
apiVersion: batch/v1beta1
kind: CronJob
metadata:
  name: <name>
spec:
  schedule: <>
  jobTemplate:
    spec:
      template:
        spec:
            securityContext:
+                        runAsUser: <UID higher then 1000>
apiVersion: <>
kind: <kind>
metadata:
  name: <name>
spec:
  template:
    spec:
        securityContext:
+               runAsUser: <UID higher then 1000>

Did this page help you?