Skip to main content

☑️ Prevent containers from accessing host files by using high GIDs

It's recommended for containers to run under UIDs that are not used on the host system. With a high UID number, a container is blocked from accessing host-based files even if it manages to gain access to a host's file system.

Targeted objects by this rule (types of kind): Deployment / Pod / DaemonSet / StatefulSet / ReplicaSet / CronJob / Job

Enabled by default? True

Policy as code identifier: CONTAINERS_INCORRECT_RUNASGROUP_VALUE_LOWGID


This rule will fail

If runAsGroup is set to a value lower than 1000:

kind: Pod
spec:
securityContext:
runAsGroup: 300
kind: Deployment
spec:
containers:
- name: myContainer
securityContext:
runAsGroup: 300

Rule output in the CLI

$ datree test *.yaml

>> File: failExample.yaml
❌ Prevent containers from accessing host files by using high GIDs [1 occurrence]
💡 Invalid value for key `runAsGroup` - must be greater than 999 to ensure container is running with non-root group membership

How to fix this failure

Set runAsGroup to a value higher than 999:

kind: Pod
spec:
securityContext:
runAsGroup: 4000
kind: Deployment
spec:
containers:
- name: myContainer
securityContext:
runAsGroup: 4000

Read more