5.2.7 Minimize the admission of root containers

Information

Do not generally permit containers to be run as the root user.

Rationale:

Containers may run as any Linux user. Containers which run as the root user, whilst constrained by Container Runtime security features still have a escalated likelihood of container breakout.

Ideally, all containers should run as a defined non-UID 0 user.

There should be at least one admission control policy defined which does not permit root containers.

If you need to run root containers, this should be defined in a separate policy and you should carefully check to ensure that only limited service accounts and users are given permission to use that policy.

Impact:

Pods with containers which run as the root user will not be permitted.

Solution

Create a policy for each namespace in the cluster, ensuring that either MustRunAsNonRoot or MustRunAs with the range of UIDs not including 0, is set.

Default Value:

By default, there are no restrictions on the use of root containers and if a User is not specified in the image, the container will run as root.

See Also

https://workbench.cisecurity.org/files/4111