Running as non-root#
As part of our efforts to better the security posture of the IT Common Platform in coordination with the support of the VT IT Security Office, we are limiting the admission of root containers. This is item 5.2.7 of the CIS Kubernetes v1.23 Benchmark. We are using Pod Security Standards to enforce this by setting all containers to run in restricted mode.
Is my container running as root?#
- Check your Dockerfiles for setting User to “root”, “0”, or “”. Root is the default user for containers and will be used if none is specified.
-
You can look for this in your docker images programmatically using these commands:
1. Setdocker image pull < image location/name/tag > docker image inspect < image location/name/tag > | jq '.[].Config.User'spec.securityContext.runAsNonRoottotruefor your deployment template or individual pod and test to see if your pod starts. If it doesn’t, you are using the root user.
What do I do if my container is running as root?#
- Set
spec.securityContext.runAsNonRoottotrueon a test/development pod. This will immediately prevent your container from starting while using the root user. - There may be official instructions from your image creator on how to change to a different user (or if it’s possible). Check for these first and follow them.
-
The simplest solution is to declare the desired id in the
Pod.containers.securityContextspec. For example:1. Another solution is to update your Dockerfile to sayspec: containers: - name: my-container image: my-image:v3.14.15-926535-89793 securityContext: readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 235 runAsGroup: 235USER 235in this case (or some other non-zero number like 65534). Note that Kubernetes expects the User and Group values to be integers. Docker expects strings which can be converted into integers like this: 1. If all else fails, contact the IT Common Platform Team for help using normal channels.