Container Running With Low UID

  • Query id: 02323c00-cdc3-4fdc-a310-4f2b3e7a1660
  • Query name: Container Running With Low UID
  • Platform: Kubernetes
  • Severity: Medium
  • Category: Best Practices
  • CWE: Ongoing
  • URL: Github

Description

Check if containers are running with low UID, which might cause conflicts with the host's user table.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
apiVersion: v1
kind: Pod
metadata:
  name: security-context-demo-2
spec:
  securityContext:
    runAsUser: 1000
  containers:
  - name: sec-ctx-demo-2
    image: gcr.io/google-samples/node-hello:1.0
    securityContext:
      runAsUser: 2000
      allowPrivilegeEscalation: false
Positive test num. 2 - yaml file
apiVersion: v1
kind: Pod
metadata:
  name: security-context-demo-2
spec:
  securityContext:
    runAsUser: 10
    runAsNonRoot: false
  containers:
    - name: sec-ctx-demo-100
      image: gcr.io/google-samples/node-hello:1.0
      securityContext:
        runAsUser: 333
        runAsNonRoot: false
    - name: sec-ctx-demo-200
      image: gcr.io/google-samples/node-hedwfwllo:1.0
      securityContext:
        runAsUser: 340
        runAsNonRoot: false
Positive test num. 3 - yaml file
apiVersion: v1
kind: Pod
metadata:
  name: containers-runs-as-root
spec:
  securityContext:
    runAsNonRoot: false
  containers:
    - name: sec-ctx-demo-100
      image: gcr.io/google-samples/node-hello:1.0
      securityContext:
        runAsUser: 13
        runAsNonRoot: false

Positive test num. 4 - yaml file
apiVersion: apps/v1
kind: Deployment
metadata:
  name: securitydemo
  labels:
    app: web
spec:
  replicas: 2
  selector:
    matchLabels:
      app: web
  template:
    metadata:
      labels:
        app: web
    spec:
      securityContext:
        runAsUser: 1200
      containers:
        - name: frontend
          image: nginx
          ports:
            - containerPort: 80
          securityContext:
            readOnlyRootFilesystem: true
        - name: echoserver
          image: k8s.gcr.io/echoserver:1.4
          ports:
            - containerPort: 8080
          securityContext:
            readOnlyRootFilesystem: true
Positive test num. 5 - yaml file
apiVersion: apps/v1
kind: Deployment
metadata:
  name: securitydemo
  labels:
    app: web
spec:
  replicas: 2
  selector:
    matchLabels:
      app: web
  template:
    metadata:
      labels:
        app: web
    spec:
      containers:
        - name: frontend
          image: nginx
          ports:
            - containerPort: 80
          securityContext:
            readOnlyRootFilesystem: true
        - name: echoserver
          image: k8s.gcr.io/echoserver:1.4
          ports:
            - containerPort: 8080
          securityContext:
            readOnlyRootFilesystem: true
Positive test num. 6 - yaml file
apiVersion: apps/v1
kind: Deployment
metadata:
  name: securitydemo
  labels:
    app: web
spec:
  replicas: 2
  selector:
    matchLabels:
      app: web
  template:
    metadata:
      labels:
        app: web
    spec:
      securityContext:
        runAsUser: 12000
      containers:
        - name: frontend
          image: nginx
          ports:
            - containerPort: 80
          securityContext:
            runAsUser: 1234
            readOnlyRootFilesystem: true
        - name: echoserver
          image: k8s.gcr.io/echoserver:1.4
          ports:
            - containerPort: 8080
          securityContext:
            runAsUser: 5678
            readOnlyRootFilesystem: true
Positive test num. 7 - yaml file
apiVersion: apps/v1
kind: Deployment
metadata:
  name: securitydemo
  labels:
    app: web
spec:
  replicas: 2
  selector:
    matchLabels:
      app: web
  template:
    metadata:
      labels:
        app: web
    spec:
      containers:
        - name: frontend
          image: nginx
          ports:
            - containerPort: 80
          securityContext:
            runAsUser: 1234
            readOnlyRootFilesystem: true
        - name: echoserver
          image: k8s.gcr.io/echoserver:1.4
          ports:
            - containerPort: 8080

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
apiVersion: v1
kind: Pod
metadata:
  name: security-context-demo-2
spec:
  securityContext:
    runAsUser: 10000
  containers:
    - name: sec-ctx-demo-2
      image: gcr.io/google-samples/node-hello:1.0
      securityContext:
        runAsUser: 10100
        allowPrivilegeEscalation: false
Negative test num. 2 - yaml file
apiVersion: apps/v1
kind: Deployment
metadata:
  name: securitydemo
  labels:
    app: web
spec:
  replicas: 2
  selector:
    matchLabels:
      app: web
  template:
    metadata:
      labels:
        app: web
    spec:
      securityContext:
        runAsUser: 65532
      containers:
        - name: frontend
          image: nginx
          ports:
            - containerPort: 80
          securityContext:
            readOnlyRootFilesystem: true
        - name: echoserver
          image: k8s.gcr.io/echoserver:1.4
          ports:
            - containerPort: 8080
Negative test num. 3 - yaml file
apiVersion: apps/v1
kind: Deployment
metadata:
  name: securitydemo
  labels:
    app: web
spec:
  replicas: 2
  selector:
    matchLabels:
      app: web
  template:
    metadata:
      labels:
        app: web
    spec:
      securityContext:
        runAsUser: 19000
      containers:
        - name: frontend
          image: nginx
          ports:
            - containerPort: 80
          securityContext:
            runAsUser: 12000
            readOnlyRootFilesystem: true
        - name: echoserver
          image: k8s.gcr.io/echoserver:1.4
          ports:
            - containerPort: 8080
          securityContext:
            readOnlyRootFilesystem: true