Container Running As Root
- Query id: cf34805e-3872-4c08-bf92-6ff7bb0cfadb
- Query name: Container Running As Root
- Platform: Kubernetes
- Severity: Medium
- Category: Best Practices
- CWE: 1188
- URL: Github
Description¶
Containers should only run as non-root user. This limits the exploitability of security misconfigurations and restricts an attacker's possibilities in case of compromise
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo-2
spec:
securityContext:
runAsUser: 1000
runAsNonRoot: false
containers:
- name: sec-ctx-demo-2
image: gcr.io/google-samples/node-hello:1.0
securityContext:
runAsUser: 0
allowPrivilegeEscalation: false
runAsNonRoot: false
---
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo-3
spec:
securityContext:
runAsUser: 1000
runAsNonRoot: false
containers:
- name: sec-ctx-demo-2
image: gcr.io/google-samples/node-hello:1.0
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: false
---
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo-4
spec:
securityContext:
runAsUser: 1000
runAsNonRoot: true
containers:
- name: sec-ctx-demo-2
image: gcr.io/google-samples/node-hello:1.0
securityContext:
runAsUser: 0
allowPrivilegeEscalation: false
runAsNonRoot: false
Positive test num. 2 - yaml file
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo-2
spec:
securityContext:
runAsUser: 10
runAsNonRoot: false
containers:
- name: sec-ctx-demo-100
image: gcr.io/google-samples/node-hello:1.0
securityContext:
runAsUser: 0
runAsNonRoot: false
- name: sec-ctx-demo-200
image: gcr.io/google-samples/node-hedwfwllo:1.0
securityContext:
runAsUser: 0
runAsNonRoot: false
Positive test num. 3 - yaml file
apiVersion: v1
kind: Pod
metadata:
name: containers-runs-as-root
spec:
securityContext:
runAsUser: 0
runAsNonRoot: false
containers:
- name: sec-ctx-demo-100
image: gcr.io/google-samples/node-hello:1.0
securityContext:
runAsUser: 0
runAsNonRoot: false
Positive test num. 4 - yaml file
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo-2
spec:
securityContext:
runAsUser: 10000
runAsNonRoot: true
containers:
- name: sec-ctx-demo-2
image: gcr.io/google-samples/node-hello:1.0
securityContext:
runAsUser: 10100
allowPrivilegeEscalation: false
runAsNonRoot: true
Negative test num. 2 - yaml file
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo-1
spec:
securityContext:
runAsUser: 1000
runAsNonRoot: true
containers:
- name: sec-ctx-demo-100
image: gcr.io/google-samples/node-hello:1.0
securityContext:
runAsUser: 1000
runAsNonRoot: false
- name: sec-ctx-demo-200
image: gcr.io/google-samples/node-hedwfwllo:1.0
securityContext:
runAsUser: 2000
runAsNonRoot: true