---
title: "Require Run As Non-root User"
url: https://docs.nirmata.io/docs/policy-sets/podsecurity/restricted/require-run-as-non-root-user/
---



### Description
Containers must not set `runAsUser` to `0`.

**Restricted Fields**
* spec.securityContext.runAsUser
* spec.containers[*].securityContext.runAsUser
* spec.initContainers[*].securityContext.runAsUser
* spec.ephemeralContainers[*].securityContext.runAsUser

**Allowed Values**
* any non-zero value
* undefined/null

### Risks
Here are some risks associated with running containers as the root user:

* `Privilege Escalation`: Running containers as root increases the risk of privilege escalation. An attacker may be able to take over the host system or other containers by exploiting vulnerabilities if they manage to get access to a container that is running as root. Running containers as non-root users reduces this risk and lessens the possible impact of a security breach.

* `Unintended Host Modifications`: Root-level containers have the ability to change system-level configurations, which may impact the host system's stability and security.

### Kyverno Policy
Refer to the Nirmata curated policies - [require-run-as-non-root-user.yaml](https://github.com/nirmata/kyverno-policies/blob/main/pod-security/restricted/require-run-as-non-root-user/require-run-as-non-root-user.yaml)

### References
#### Configuration Settings
Running as root is not allowed. The fields `spec.securityContext.runAsUser`, `spec.containers[*].securityContext.runAsUser`, `spec.initContainers[*].securityContext.runAsUser`, and `spec.ephemeralContainers[*].securityContext.runAsUser` must be unset or set to a number greater than zero.

```bash
=(securityContext):
  =(runAsUser): ">0"
=(ephemeralContainers):
- =(securityContext):
    =(runAsUser): ">0"
=(initContainers):
- =(securityContext):
    =(runAsUser): ">0"
containers:
- =(securityContext):
    =(runAsUser): ">0"
```

#### Resource Example
Below is a `Deployment` resource example where `securityContext.runAsUser` is set to any number other than `0`.

```bash
apiVersion: apps/v1
kind: Deployment
metadata:
  name: gooddeployment
spec:
  replicas: 1
  selector:
    matchLabels:
      app: app
  template:
    metadata:
      labels:
        app: app
    spec:
      containers:
      - name: container01
        image: dummyimagename
        securityContext:
          runAsUser: 1
      - name: container02
        image: dummyimagename
        securityContext:
          runAsUser: 2
      securityContext:
        runAsUser: 10
```text