Container Running With Low UID
- Query id: 02323c00-cdc3-4fdc-a310-4f2b3e7a1660
- Query name: Container Running With Low UID
- Platform: Kubernetes
- Severity: Medium
- Category: Best Practices
- CWE: Ongoing
- URL: Github
Description¶
Check if containers are running with low UID, which might cause conflicts with the host's user table.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo-2
spec:
securityContext:
runAsUser: 1000
containers:
- name: sec-ctx-demo-2
image: gcr.io/google-samples/node-hello:1.0
securityContext:
runAsUser: 2000
allowPrivilegeEscalation: false
Positive test num. 2 - yaml file
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo-2
spec:
securityContext:
runAsUser: 10
runAsNonRoot: false
containers:
- name: sec-ctx-demo-100
image: gcr.io/google-samples/node-hello:1.0
securityContext:
runAsUser: 333
runAsNonRoot: false
- name: sec-ctx-demo-200
image: gcr.io/google-samples/node-hedwfwllo:1.0
securityContext:
runAsUser: 340
runAsNonRoot: false
Positive test num. 3 - yaml file
apiVersion: v1
kind: Pod
metadata:
name: containers-runs-as-root
spec:
securityContext:
runAsNonRoot: false
containers:
- name: sec-ctx-demo-100
image: gcr.io/google-samples/node-hello:1.0
securityContext:
runAsUser: 13
runAsNonRoot: false
Positive test num. 4 - yaml file
apiVersion: apps/v1
kind: Deployment
metadata:
name: securitydemo
labels:
app: web
spec:
replicas: 2
selector:
matchLabels:
app: web
template:
metadata:
labels:
app: web
spec:
securityContext:
runAsUser: 1200
containers:
- name: frontend
image: nginx
ports:
- containerPort: 80
securityContext:
readOnlyRootFilesystem: true
- name: echoserver
image: k8s.gcr.io/echoserver:1.4
ports:
- containerPort: 8080
securityContext:
readOnlyRootFilesystem: true
Positive test num. 5 - yaml file
apiVersion: apps/v1
kind: Deployment
metadata:
name: securitydemo
labels:
app: web
spec:
replicas: 2
selector:
matchLabels:
app: web
template:
metadata:
labels:
app: web
spec:
containers:
- name: frontend
image: nginx
ports:
- containerPort: 80
securityContext:
readOnlyRootFilesystem: true
- name: echoserver
image: k8s.gcr.io/echoserver:1.4
ports:
- containerPort: 8080
securityContext:
readOnlyRootFilesystem: true
Positive test num. 6 - yaml file
apiVersion: apps/v1
kind: Deployment
metadata:
name: securitydemo
labels:
app: web
spec:
replicas: 2
selector:
matchLabels:
app: web
template:
metadata:
labels:
app: web
spec:
securityContext:
runAsUser: 12000
containers:
- name: frontend
image: nginx
ports:
- containerPort: 80
securityContext:
runAsUser: 1234
readOnlyRootFilesystem: true
- name: echoserver
image: k8s.gcr.io/echoserver:1.4
ports:
- containerPort: 8080
securityContext:
runAsUser: 5678
readOnlyRootFilesystem: true
Positive test num. 7 - yaml file
apiVersion: apps/v1
kind: Deployment
metadata:
name: securitydemo
labels:
app: web
spec:
replicas: 2
selector:
matchLabels:
app: web
template:
metadata:
labels:
app: web
spec:
containers:
- name: frontend
image: nginx
ports:
- containerPort: 80
securityContext:
runAsUser: 1234
readOnlyRootFilesystem: true
- name: echoserver
image: k8s.gcr.io/echoserver:1.4
ports:
- containerPort: 8080
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo-2
spec:
securityContext:
runAsUser: 10000
containers:
- name: sec-ctx-demo-2
image: gcr.io/google-samples/node-hello:1.0
securityContext:
runAsUser: 10100
allowPrivilegeEscalation: false
Negative test num. 2 - yaml file
apiVersion: apps/v1
kind: Deployment
metadata:
name: securitydemo
labels:
app: web
spec:
replicas: 2
selector:
matchLabels:
app: web
template:
metadata:
labels:
app: web
spec:
securityContext:
runAsUser: 65532
containers:
- name: frontend
image: nginx
ports:
- containerPort: 80
securityContext:
readOnlyRootFilesystem: true
- name: echoserver
image: k8s.gcr.io/echoserver:1.4
ports:
- containerPort: 8080
Negative test num. 3 - yaml file
apiVersion: apps/v1
kind: Deployment
metadata:
name: securitydemo
labels:
app: web
spec:
replicas: 2
selector:
matchLabels:
app: web
template:
metadata:
labels:
app: web
spec:
securityContext:
runAsUser: 19000
containers:
- name: frontend
image: nginx
ports:
- containerPort: 80
securityContext:
runAsUser: 12000
readOnlyRootFilesystem: true
- name: echoserver
image: k8s.gcr.io/echoserver:1.4
ports:
- containerPort: 8080
securityContext:
readOnlyRootFilesystem: true