require-run-as-non-root

Description

Containers must be required to run as non-root users.

Restricted Fields

  • spec.securityContext.runAsNonRoot
  • spec.containers[*].securityContext.runAsNonRoot
  • spec.initContainers[*].securityContext.runAsNonRoot
  • spec.ephemeralContainers[*].securityContext.runAsNonRoot

Allowed Values

  • true

Note: The container fields may be undefined/nil if the pod-level spec.securityContext.runAsNonRoot is set to true.

Kyverno Policy

Refer to the Nirmata curated policies - require-run-as-nonroot.yaml

References

Configuration Settings

Running as root is not allowed. Either the field spec.securityContext.runAsNonRoot must be set to true, or the fields spec.containers[*].securityContext.runAsNonRoot, spec.initContainers[*].securityContext.runAsNonRoot, and spec.ephemeralContainers[*].securityContext.runAsNonRoot must be set to true.

securityContext:
  runAsNonRoot: "true"
=(ephemeralContainers):
- =(securityContext):
    =(runAsNonRoot): "true"
=(initContainers):
- =(securityContext):
    =(runAsNonRoot): "true"
containers:
- =(securityContext):
    =(runAsNonRoot): "true"

Resource Example

Below is a Deployment resource example where spec.securityContext.runAsNonRoot is set to true. It is therefore valid for containers field to have securityContext.runAsNonRoot undefined.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: gooddeployment
spec:
  replicas: 1
  selector:
    matchLabels:
      app: app
  template:
    metadata:
      labels:
        app: app
    spec:
      containers:
      - name: container01
        image: dummyimagename
      securityContext:
        runAsNonRoot: true

Below is a Deployment resource example where spec.securityContext.runAsNonRoot field is not present. It is therefore absolutely necessary for the containers field to have securityContext.runAsNonRoot set to true in order for this resource to be conformant with this security control.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: gooddeployment08
spec:
  replicas: 1
  selector:
    matchLabels:
      app: app
  template:
    metadata:
      labels:
        app: app
    spec:
      initContainers:
      - name: initcontainer01
        image: dummyimagename
        securityContext:
          runAsNonRoot: true
      containers:
      - name: container01
        image: dummyimagename
        securityContext:
          runAsNonRoot: true