Containers do not run with a high UID
Description
Linux namespaces provide isolation for running processes and limits access to system resources. To prevent privilege-escalation attacks from within a container, we recommend that you configure your container’s applications to run as unprivileged users. The mapped user is assigned a range of UIDs which function within the namespace as normal UIDs from 0 to 65536, but have no privileges on the host machine itself.
If a process attempts to escalate privilege outside of the namespace, the process is running as an unprivileged high-number UID on the host, not mapped to a real user. This means the process has no privileges on the host system and cannot be attacked by this method.
This check will trigger below UID 10,000 as common linux distributions will assign UID 1000 to the first non-root, non system user and 1000 users should provide a reasonable buffer.
Fix - Buildtime
Kubernetes
- Resource: Pod / Deployment / DaemonSet / StatefulSet / ReplicaSet / ReplicationController / Job / CronJob
- Argument: runAsUser (Optional)
Specifies the User ID that processes within the container and/or pod run with.
```yaml Pod
apiVersion: v1
kind: Pod
metadata:
name:
```yaml CronJob
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: <name>
spec:
schedule: <>
jobTemplate:
spec:
template:
spec:
containers:
- name: <container name>
image: <image>
securityContext:
+ runAsUser: <UID higher then 10000>
yaml Other
apiVersion: <>
kind: <kind>
metadata:
name: <name>
spec:
template:
spec:
containers:
- name: <container name>
image: <image>
securityContext:
runAsUser: <UID higher then 10000>