Skip to main content

☑️ Prevent containers from accessing host files by using high UIDs

It's recommended for containers to use UIDs that are not used on the host system. With a high UID number, a container is blocked from accessing host-based files even if it manages to gain access to a host's file system.

Targeted objects by this rule (types of kind): Deployment / Pod / DaemonSet / StatefulSet / ReplicaSet / CronJob / Job

Enabled by default? False

Policy as code identifier: CONTAINERS_INCORRECT_RUNASUSER_VALUE_LOWUID


This rule will fail

If runAsUser is set to a number lower than 10000

spec:
containers:
- name: app
image: nginx:1.19.8
securityContext:
runAsUser: 100

Rule output in the CLI

$ datree test *.yaml

>> File: failExample.yaml
❌ Prevent containers from accessing host files by using high UIDs [1 occurrence]
💡 Incorrect value for key `runAsUser` - value should be above 9999 to reduce the likelihood that the UID is already taken

How to fix this failure

Set runAsUser to a number bigger than 9999

spec:
containers:
- name: app
image: nginx:1.19.8
securityContext:
runAsUser: 25000

Read more