Finds containers allowed to run as root.
kubeaudit nonroot [flags]
See Global Flags
$ kubeaudit nonroot -f "auditors/nonroot/fixtures/run-as-non-root-nil.yml"
---------------- Results for ---------------
apiVersion: apps/v1
kind: Deployment
metadata:
name: deployment
namespace: run-as-non-root-nil
--------------------------------------------
-- [error] RunAsNonRootPSCNilCSCNil
Message: runAsNonRoot is not set in container SecurityContext nor the PodSecurityContext. It should be set to 'true' in at least one of the two.
Metadata:
Container: container
Containers should be run as a non-root user with the minimum required permissions (principle of least privilege).
This can be done by setting runAsNonRoot to true in either the PodSecurityContext or container SecurityContext. If runAsNonRoot is unset in the Container SecurityContext, it will inherit the value of the Pod SecurityContext. If runAsNonRoot is unset in the Pod SecurityContext, it defaults to false which means it must be explicitly set to true in either the Container SecurityContext or the Pod SecurityContext for the nonroot audit to pass.
Note that the Container SecurityContext takes precedence over the Pod SecurityContext so setting runAsNonRoot to false in the Container SecurityContext will always fail the nonroot audit unless an override is used.
Ideally, runAsNonRoot should be set to true in the PodSecurityContext:
apiVersion: apps/v1
kind: Deployment
spec:
template: #PodTemplateSpec
spec: #PodSpec
securityContext: #PodSecurityContext
runAsNonRoot: true
containers:
- name: myContainerAlternatively it's possible to enforce non-root containers by setting runAsUser to a non-root UID (>0) in either the PodSecurityContext or container SecurityContext. Conversely, if runAsUser is set to 0 in either the PodSecurityContext or container SecurityContext then the container will always run as root and so the audit will fail.
If runAsUser is set to a non-root UID (either in PodSecurityContext or container SecurityContext) it won't matter if runAsNonRoot is set to false or nil and so the audit will always pass.
As for runAsNonRoot, ideally, runAsUser should be set to a non-root UID in the PodSecurityContext:
apiVersion: apps/v1
kind: Deployment
spec:
template: #PodTemplateSpec
spec: #PodSpec
securityContext: #PodSecurityContext
runAsUser: 1000
containers:
- name: myContainerIf a container needs to run as root, it should be enabled for that container only in the container's SecurityContext. This will require an override label so kubeaudit knows it is intentional. See Override Errors.
For more information on pod and container security contexts see https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
First, see the Introduction to Override Errors.
Override identifer: allow-run-as-root
Container overrides have the form:
container.kubeaudit.io/[container name].allow-run-as-root: ""Pod overrides have the form:
kubeaudit.io/allow-run-as-root: ""Example of resource with nonroot overridden for a specific container:
apiVersion: apps/v1
kind: Deployment
spec:
template: #PodTemplateSpec
metadata:
labels:
container.kubeaudit.io/myContainer.allow-run-as-root: ""
spec: #PodSpec
securityContext: #PodSecurityContext
runAsNonRoot: true
containers:
- name: myContainer
securityContext: #SecurityContext
runAsNonRoot: false
- name: myContainer2Example of resource with nonroot overridden for a whole pod:
apiVersion: apps/v1
kind: Deployment
spec:
template: #PodTemplateSpec
metadata:
labels:
kubeaudit.io/allow-run-as-root: ""
spec: #PodSpec
securityContext: #PodSecurityContext
runAsNonRoot: true
containers:
- name: myContainer
securityContext: #SecurityContext
runAsNonRoot: false
- name: myContainer2
securityContext: #SecurityContext
runAsNonRoot: falseExample of resource with nonroot overridden for a specific container using runAsUser:
apiVersion: apps/v1
kind: Deployment
spec:
template: #PodTemplateSpec
metadata:
labels:
container.kubeaudit.io/myContainer.allow-run-as-root: ""
spec: #PodSpec
securityContext: #PodSecurityContext
runAsUser: 1000
containers:
- name: myContainer
securityContext: #SecurityContext
runAsUser: 0
- name: myContainer2