Skip to main content

☑️ Prevent container from running with root privileges

NSA encourages developers to build container applications to execute as a non-root user. Having non-root execution integrated at build time provides better assurance that applications will function correctly without root privileges. Therefore, it's recommended for containers to run with the least privileges possible.

Targeted objects by this rule (types of kind): Deployment / Pod / DaemonSet / StatefulSet / ReplicaSet / CronJob / Job

Enabled by default? True

Policy as code identifier: CONTAINERS_INCORRECT_RUNASNONROOT_VALUE


This rule will fail

If runAsNonRoot is not set or set to false:

kind: Pod
spec:
securityContext:
runAsGroup: 5000
kind: Deployment
spec:
containers:
- name: myContainer
securityContext:
runAsNonRoot: false

Rule output in the CLI

$ datree test *.yaml

>> File: failExample.yaml
❌ Prevent container from running with root privileges [1 occurrence]
💡 Invalid value for key `runAsNonRoot` - must be set to `true` to prevent unnecessary privileges

How to fix this failure

Set runAsNonRoot to true:

kind: Pod
spec:
securityContext:
runAsNonRoot: true
kind: Deployment
spec:
containers:
- name: myContainer
securityContext:
runAsNonRoot: true

Read more