Skip to content

Admission of root containers not minimized

Description

Containers rely on the traditional Unix security model granting explicit and implicit permissions to resources, through permissions granted to users and groups. User namespaces are not enabled in Kubernetes. The container's user ID table maps to the host's user table, and running a process as the root user inside a container runs it as root on the host. Although possible, we do not recommend running as root inside the container.

Containers that run as root usually have far more permissions than their workload requires. In case of compromise, an attacker can use these permissions to further an attack on the network. Several container images use the root user to run PID 1. An attacker will have root permissions in the container and be able to exploit mis-configurations.

Fix - Buildtime

Kubernetes

  • Resource: Pod / Deployment / DaemonSet / StatefulSet / ReplicaSet / ReplicationController / Job / CronJob
  • Arguments:
    runAsNonRoot (Optional) If true, Requires the container to run without root privileges. Default to false.
    runAsUser (Optional) If user number is anything other than 0, requires the container to run with that user id, which is not root.

```yaml Pod apiVersion: v1 kind: Pod metadata: name: spec: securityContext: + runAsNonRoot: true + runAsUser: 

```yaml CronJob
apiVersion: batch/v1beta1
kind: CronJob
metadata:
  name: <name>
spec:
  schedule: <>
  jobTemplate:
    spec:
      template:
        spec:
            securityContext:
+            runAsNonRoot: true
+                        runAsUser: <specific user>

yaml Other apiVersion: <> kind: <kind> metadata: name: <name> spec: template: spec: securityContext: + runAsNonRoot: true + runAsUser: <specific user>