1.7.6 Do not admit root containers

Information

Do not generally permit containers to be run as the root user.

Rationale:

Containers may run as any Linux user. Containers which run as the root user, whilst constrained by Container Runtime security features still have a escalated likelihood of container breakout.

Ideally, all containers should run as a defined non-UID 0 user.

There should be at least one PodSecurityPolicy (PSP) defined which does not permit root users in a container.

If you need to run root containers, this should be defined in a separate PSP and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that PSP.

Solution

Create a PSP as described in the Kubernetes documentation, ensuring that the '.spec.runAsUser.rule' is set to either 'MustRunAsNonRoot' or 'MustRunAs' with the range of UIDs not including 0.

See Also

https://workbench.cisecurity.org/files/2421

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CSCv6|5.1

Plugin: Unix

Control ID: 8e25af84c5535f8459ae2ffb60907ad4388111bd044b20e8441f886e82997870