Container Running As Root

Query id: cf34805e-3872-4c08-bf92-6ff7bb0cfadb
Query name: Container Running As Root
Platform: Kubernetes
Severity: Medium
Category: Best Practices
CWE: 1188
URL: Github

Description¶

Containers should only run as non-root user. This limits the exploitability of security misconfigurations and restricts an attacker's possibilities in case of compromise
Documentation

Code samples¶

Code samples with security vulnerabilities¶

Positive test num. 1 - yaml file

apiVersion: v1
kind: Pod
metadata:
  name: security-context-demo-2
spec:
  securityContext:
    runAsUser: 1000
    runAsNonRoot: false
  containers:
  - name: sec-ctx-demo-2
    image: gcr.io/google-samples/node-hello:1.0
    securityContext:
      runAsUser: 0
      allowPrivilegeEscalation: false
      runAsNonRoot: false
---
apiVersion: v1
kind: Pod
metadata:
  name: security-context-demo-3
spec:
  securityContext:
    runAsUser: 1000
    runAsNonRoot: false
  containers:
  - name: sec-ctx-demo-2
    image: gcr.io/google-samples/node-hello:1.0
    securityContext:
      allowPrivilegeEscalation: false
      runAsNonRoot: false
---
apiVersion: v1
kind: Pod
metadata:
  name: security-context-demo-4
spec:
  securityContext:
    runAsUser: 1000
    runAsNonRoot: true
  containers:
  - name: sec-ctx-demo-2
    image: gcr.io/google-samples/node-hello:1.0
    securityContext:
      runAsUser: 0
      allowPrivilegeEscalation: false
      runAsNonRoot: false

Positive test num. 2 - yaml file

apiVersion: v1
kind: Pod
metadata:
  name: security-context-demo-2
spec:
  securityContext:
    runAsUser: 10
    runAsNonRoot: false
  containers:
  - name: sec-ctx-demo-100
    image: gcr.io/google-samples/node-hello:1.0
    securityContext:
      runAsUser: 0
      runAsNonRoot: false
  - name: sec-ctx-demo-200
    image: gcr.io/google-samples/node-hedwfwllo:1.0
    securityContext:
      runAsUser: 0
      runAsNonRoot: false

Positive test num. 3 - yaml file

apiVersion: v1
kind: Pod
metadata:
  name: containers-runs-as-root
spec:
  securityContext:
    runAsUser: 0
    runAsNonRoot: false
  containers:
  - name: sec-ctx-demo-100
    image: gcr.io/google-samples/node-hello:1.0
    securityContext:
      runAsUser: 0
      runAsNonRoot: false

Positive test num. 4 - yaml file

apiVersion: v1
kind: Pod
metadata:
  name: security-context-demo-2
spec:
  containers:
  - name: sec-ctx-demo-1
    image: gcr.io/google-samples/node-hello:1.0
  - name: sec-ctx-demo-2
    image: gcr.io/google-samples/node-hello:1.0
    securityContext:
      runAsUser: 0
      allowPrivilegeEscalation: false
      runAsNonRoot: false

Code samples without security vulnerabilities¶

Negative test num. 1 - yaml file

apiVersion: v1
kind: Pod
metadata:
  name: security-context-demo-2
spec:
  securityContext:
    runAsUser: 10000
    runAsNonRoot: true
  containers:
  - name: sec-ctx-demo-2
    image: gcr.io/google-samples/node-hello:1.0
    securityContext:
      runAsUser: 10100
      allowPrivilegeEscalation: false
      runAsNonRoot: true

Negative test num. 2 - yaml file

apiVersion: v1
kind: Pod
metadata:
  name: security-context-demo-1
spec:
  securityContext:
    runAsUser: 1000
    runAsNonRoot: true
  containers:
  - name: sec-ctx-demo-100
    image: gcr.io/google-samples/node-hello:1.0
    securityContext:
      runAsUser: 1000
      runAsNonRoot: false
  - name: sec-ctx-demo-200
    image: gcr.io/google-samples/node-hedwfwllo:1.0
    securityContext:
      runAsUser: 2000
      runAsNonRoot: true

Negative test num. 3 - yaml file

apiVersion: v1
kind: Pod
metadata:
  name: containers-runs-as-root
spec:
  securityContext:
    runAsUser: 0
    runAsNonRoot: false
  containers:
  - name: sec-ctx-demo-100
    image: gcr.io/google-samples/node-hello:1.0
    securityContext:
      runAsUser: 1000
      runAsNonRoot: false