☑️ Prevent container from running with root privileges

NSA encourages developers to build container applications to execute as a non-root user. Having non-root execution integrated at build time provides better assurance that applications will function correctly without root privileges. Therefore, it's recommended for containers to run with the least privileges possible.

Targeted objects by this rule (types of kind): Deployment / Pod / DaemonSet / StatefulSet / ReplicaSet / CronJob / Job

Complexity: easy (What does this mean?)

Policy as code identifier: CONTAINERS_INCORRECT_RUNASNONROOT_VALUE

This rule will fail

If runAsNonRoot is not set or set to false:

kind: Pod
spec:
  securityContext:
    runAsGroup: 5000

kind: Deployment
spec:
  containers:
    - name: myContainer
      securityContext:
        runAsNonRoot: false

Rule output in the CLI

$ datree test *.yaml

>> File: failExample.yaml
❌ Prevent container from running with root privileges [1 occurrence]
💡 Invalid value for key `runAsNonRoot` - must be set to `true` to prevent unnecessary privileges

How to fix this failure

Set runAsNonRoot to true:

kind: Pod
spec:
  securityContext:
    runAsNonRoot: true

kind: Deployment
spec:
  containers:
    - name: myContainer
      securityContext:
        runAsNonRoot: true

KubSec - Run as non-root

This rule will fail​

Rule output in the CLI​

How to fix this failure​

Read more​

This rule will fail

Rule output in the CLI

How to fix this failure

Read more