Linux namespaces provide isolation for running processes and limits access to system resources. To prevent privilege-escalation attacks from within a container, we recommend that you configure your container’s applications to run as unprivileged users. The mapped user is assigned a range of UIDs which function within the namespace as normal UIDs from 0 to 65536, but have no privileges on the host machine itself.
If a process attempts to escalate privilege outside of the namespace, the process is running as an unprivileged high-number UID on the host, not mapped to a real user. This means the process has no privileges on the host system and cannot be attacked by this method.
This check will trigger below UID 10,000 as common linux distributions will assign UID 1000 to the first non-root, non system user and 1000 users should provide a reasonable buffer.
- Resource: Pod / Deployment / DaemonSet / StatefulSet / ReplicaSet / ReplicationController / Job / CronJob
- Argument: runAsUser (Optional)
Specifies the User ID that processes within the container and/or pod run with.
apiVersion: v1 kind: Pod metadata: name: <name> spec: securityContext: + runAsUser: <UID higher then 10000>
apiVersion: batch/v1beta1 kind: CronJob metadata: name: <name> spec: schedule: <> jobTemplate: spec: template: spec: securityContext: + runAsUser: <UID higher then 1000>
apiVersion: <> kind: <kind> metadata: name: <name> spec: template: spec: securityContext: + runAsUser: <UID higher then 1000>
Updated 5 months ago