Container Running As Root
- Query id: cf34805e-3872-4c08-bf92-6ff7bb0cfadb
- Query name: Container Running As Root
- Platform: Kubernetes
- Severity: Medium
- Category: Best Practices
- CWE: 1188
- Risk score: 5.8
- URL: Github
Description¶
Containers should only run as non-root user. This limits the exploitability of security misconfigurations and restricts an attacker's possibilities in case of compromise
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo-2
spec:
securityContext:
runAsUser: 1000
runAsNonRoot: false
containers:
- name: sec-ctx-demo-2
image: gcr.io/google-samples/node-hello:1.0
securityContext:
runAsUser: 0
allowPrivilegeEscalation: false
runAsNonRoot: false
---
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo-3
spec:
securityContext:
runAsUser: 1000
runAsNonRoot: false
containers:
- name: sec-ctx-demo-2
image: gcr.io/google-samples/node-hello:1.0
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: false
---
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo-4
spec:
securityContext:
runAsUser: 1000
runAsNonRoot: true
containers:
- name: sec-ctx-demo-2
image: gcr.io/google-samples/node-hello:1.0
securityContext:
runAsUser: 0
allowPrivilegeEscalation: false
runAsNonRoot: false
Positive test num. 2 - yaml file
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo-2
spec:
securityContext:
runAsUser: 10
runAsNonRoot: false
containers:
- name: sec-ctx-demo-100
image: gcr.io/google-samples/node-hello:1.0
securityContext:
runAsUser: 0
runAsNonRoot: false
- name: sec-ctx-demo-200
image: gcr.io/google-samples/node-hedwfwllo:1.0
securityContext:
runAsUser: 0
runAsNonRoot: false
Positive test num. 3 - yaml file
apiVersion: v1
kind: Pod
metadata:
name: containers-runs-as-root
spec:
securityContext:
runAsUser: 0
runAsNonRoot: false
containers:
- name: sec-ctx-demo-100
image: gcr.io/google-samples/node-hello:1.0
securityContext:
runAsUser: 0
runAsNonRoot: false
Positive test num. 4 - yaml file
Positive test num. 5 - yaml file
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: security-context-demo
spec:
serviceName: "security-context-demo"
replicas: 1
selector:
matchLabels:
app: security-context-demo
template:
metadata:
labels:
app: security-context-demo
spec:
containers:
- name: sec-ctx-demo
image: gcr.io/google-samples/node-hello:1.0
securityContext:
runAsNonRoot: false
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: security-context-demo
spec:
replicas: 1
selector:
matchLabels:
app: security-context-demo
template:
metadata:
labels:
app: security-context-demo
spec:
securityContext:
runAsNonRoot: false
containers:
- name: sec-ctx-demo
image: gcr.io/google-samples/node-hello:1.0
securityContext:
runAsNonRoot: false
Positive test num. 6 - yaml file
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: security-context-demo
spec:
serviceName: "security-context-demo"
replicas: 1
selector:
matchLabels:
app: security-context-demo
template:
metadata:
labels:
app: security-context-demo
spec:
securityContext:
runAsNonRoot: false
containers:
- name: sec-ctx-demo
image: gcr.io/google-samples/node-hello:1.0
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: security-context-demo
spec:
replicas: 1
selector:
matchLabels:
app: security-context-demo
template:
metadata:
labels:
app: security-context-demo
spec:
securityContext:
runAsNonRoot: false
containers:
- name: sec-ctx-demo
image: gcr.io/google-samples/node-hello:1.0
Positive test num. 7 - yaml file
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: security-context-demo
spec:
serviceName: "security-context-demo"
replicas: 1
selector:
matchLabels:
app: security-context-demo
template:
metadata:
labels:
app: security-context-demo
spec:
containers:
- name: sec-ctx-demo
image: gcr.io/google-samples/node-hello:1.0
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: security-context-demo
spec:
replicas: 1
selector:
matchLabels:
app: security-context-demo
template:
metadata:
labels:
app: security-context-demo
spec:
containers:
- name: sec-ctx-demo
image: gcr.io/google-samples/node-hello:1.00
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo-2
spec:
securityContext:
runAsUser: 10000
runAsNonRoot: true
containers:
- name: sec-ctx-demo-2
image: gcr.io/google-samples/node-hello:1.0
securityContext:
runAsUser: 10100
allowPrivilegeEscalation: false
runAsNonRoot: true
Negative test num. 2 - yaml file
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo-1
spec:
securityContext:
runAsUser: 1000
runAsNonRoot: true
containers:
- name: sec-ctx-demo-100
image: gcr.io/google-samples/node-hello:1.0
securityContext:
runAsUser: 1000
runAsNonRoot: false
- name: sec-ctx-demo-200
image: gcr.io/google-samples/node-hedwfwllo:1.0
securityContext:
runAsUser: 2000
runAsNonRoot: true
Negative test num. 3 - yaml file
apiVersion: v1
kind: Pod
metadata:
name: containers-runs-as-root
spec:
securityContext:
runAsUser: 0
runAsNonRoot: false
containers:
- name: sec-ctx-demo-100
image: gcr.io/google-samples/node-hello:1.0
securityContext:
runAsUser: 1000
runAsNonRoot: false
Negative test num. 4 - yaml file
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: security-context-demo
spec:
serviceName: "security-context-demo"
replicas: 1
selector:
matchLabels:
app: security-context-demo
template:
metadata:
labels:
app: security-context-demo
spec:
securityContext:
runAsUser: 1000
runAsNonRoot: true
containers:
- name: sec-ctx-demo
image: gcr.io/google-samples/node-hello:1.0
securityContext:
runAsUser: 1000
runAsNonRoot: true
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: security-context-demo
spec:
replicas: 1
selector:
matchLabels:
app: security-context-demo
template:
metadata:
labels:
app: security-context-demo
spec:
securityContext:
runAsUser: 1000
runAsNonRoot: true
containers:
- name: sec-ctx-demo
image: gcr.io/google-samples/node-hello:1.0
securityContext:
runAsUser: 1000
runAsNonRoot: true