Root containers admitted
Description
In Kubernetes, a container's user ID table maps to the host's user table. Running a process as the root user inside a container runs it as root on the host. Many container images use the root user to run PID 1. If PID 1 is compromised, an attacker has root permissions in the container, and any misconfigurations can be exploited. Containers that run as root frequently have more permissions than their workload requires which, in case of compromise, could help an attacker further their exploits.
Code Example
yaml
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: <policy name>
spec:
runAsUser:
+ rule: 'MustRunAsNonRoot'
or
rule: 'MustRunAs'
ranges:
+ - min: <min user, 1 or higher>
max: <max user>Remediation
Kubernetes
- Resource: PodSecurityPolicy
- Arguments: runAsUser:rule:MustRunAsNonRoot - Unable containers to run with root privileges. runAsUser:rule:MustRunAs - When the minimum range is set to 1 or higher, containers cannot run as root.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-1084 |
| Severity | MEDIUM |
| IaC Type | Kubernetes |
| Frameworks | Kubernetes, |
| Checkov ID | CKV_K8S_6 |