---
title: "Require Run As Non-root"
url: https://docs.nirmata.io/docs/policy-sets/podsecurity/restricted/require-run-as-non-root/
---



### Description
Containers must be required to run as non-root users.

**Restricted Fields**
* spec.securityContext.runAsNonRoot
* spec.containers[*].securityContext.runAsNonRoot
* spec.initContainers[*].securityContext.runAsNonRoot
* spec.ephemeralContainers[*].securityContext.runAsNonRoot

**Allowed Values**
* true

*Note:* The container fields may be `undefined/nil` if the pod-level `spec.securityContext.runAsNonRoot` is set to true.

### Risks
Here are some risks associated with running containers as root and why setting `runAsNonRoot: true` is important:

* `Privilege Escalation`: Running containers as root increases the risk of privilege escalation. An attacker may be able to take over the host system or other containers by exploiting vulnerabilities if they manage to get access to a container that is running as root. Running containers as non-root users reduces this risk and lessens the possible impact of a security breach.

* `Unintended Host Modifications`: Root-level containers have the ability to change system-level configurations, which may impact the host system's stability and security.

### Kyverno Policy
Refer to the Nirmata curated policies - [require-run-as-nonroot.yaml](https://github.com/nirmata/kyverno-policies/blob/main/pod-security/restricted/require-run-as-nonroot/require-run-as-nonroot.yaml)

### References
#### Configuration Settings
Running as root is not allowed. Either the field `spec.securityContext.runAsNonRoot` must be set to `true`, or the fields `spec.containers[*].securityContext.runAsNonRoot`, `spec.initContainers[*].securityContext.runAsNonRoot`, and `spec.ephemeralContainers[*].securityContext.runAsNonRoot` must be set to `true`.

```bash
securityContext:
  runAsNonRoot: "true"
=(ephemeralContainers):
- =(securityContext):
    =(runAsNonRoot): "true"
=(initContainers):
- =(securityContext):
    =(runAsNonRoot): "true"
containers:
- =(securityContext):
    =(runAsNonRoot): "true"
```

#### Resource Example
Below is a `Deployment` resource example where `spec.securityContext.runAsNonRoot` is set to `true`. It is therefore valid for `containers` field to have `securityContext.runAsNonRoot` undefined.

```bash
apiVersion: apps/v1
kind: Deployment
metadata:
  name: gooddeployment
spec:
  replicas: 1
  selector:
    matchLabels:
      app: app
  template:
    metadata:
      labels:
        app: app
    spec:
      containers:
      - name: container01
        image: dummyimagename
      securityContext:
        runAsNonRoot: true
```

Below is a `Deployment` resource example where `spec.securityContext.runAsNonRoot` field is not present. It is therefore absolutely necessary for the `containers` field to have `securityContext.runAsNonRoot` set to true in order for this resource to be conformant with this security control.
```bash
apiVersion: apps/v1
kind: Deployment
metadata:
  name: gooddeployment08
spec:
  replicas: 1
  selector:
    matchLabels:
      app: app
  template:
    metadata:
      labels:
        app: app
    spec:
      initContainers:
      - name: initcontainer01
        image: dummyimagename
        securityContext:
          runAsNonRoot: true
      containers:
      - name: container01
        image: dummyimagename
        securityContext:
          runAsNonRoot: true
```text