Ensure Workflow pods are running as non-root user
Description
This policy checks whether Argo Workflow pods are configured to run as a non-root user. Running containers as non-root is a security best practice, as it reduces the potential damage that can be caused by a vulnerability in the container. If a container is running as root and is compromised, the attacker will have root access to the container and potentially the host. By running as a non-root user, the attack surface is reduced. This check is important to prevent privilege escalation attacks.
Code Example
yaml
spec:
securityContext:
runAsNonRoot: trueRemediation
Ensure the securityContext in the pod specification is set to runAsNonRoot: true.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0055 |
| Severity | MEDIUM |
| IaC Type | Argo Workflows |
| Frameworks | spec |
| Checkov ID | CKV_ARGO_2 |