require-run-as-non-root-user

Description

Containers must not set runAsUser to 0.

Restricted Fields

  • spec.securityContext.runAsUser
  • spec.containers[*].securityContext.runAsUser
  • spec.initContainers[*].securityContext.runAsUser
  • spec.ephemeralContainers[*].securityContext.runAsUser

Allowed Values

  • any non-zero value
  • undefined/null

Kyverno Policy

Refer to the Nirmata curated policies - require-run-as-non-root-user.yaml

References

Configuration Settings

Running as root is not allowed. The fields spec.securityContext.runAsUser, spec.containers[*].securityContext.runAsUser, spec.initContainers[*].securityContext.runAsUser, and spec.ephemeralContainers[*].securityContext.runAsUser must be unset or set to a number greater than zero.

=(securityContext):
  =(runAsUser): ">0"
=(ephemeralContainers):
- =(securityContext):
    =(runAsUser): ">0"
=(initContainers):
- =(securityContext):
    =(runAsUser): ">0"
containers:
- =(securityContext):
    =(runAsUser): ">0"

Resource Example

Below is a Deployment resource example where securityContext.runAsUser is set to any number other than 0.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: gooddeployment
spec:
  replicas: 1
  selector:
    matchLabels:
      app: app
  template:
    metadata:
      labels:
        app: app
    spec:
      containers:
      - name: container01
        image: dummyimagename
        securityContext:
          runAsUser: 1
      - name: container02
        image: dummyimagename
        securityContext:
          runAsUser: 2
      securityContext:
        runAsUser: 10