Policy does not prevent use of root user Affecting Deployment service in Kubernetes

Snyk CCSS

IAM/ Privileged Access

Is your environment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

CIS-ControlsCIS-Kubernetes

Snyk IDSNYK-CC-00635
creditSnyk Research Team

Report a new misconfiguration Found a mistake?

Description

The Pod Security Policy does not prevent the use of the root user. Running a container as the root user in Kubernetes increases the attack surface by granting the container more privileges than necessary.

How to fix?

Set runAsUser to MustRunAsNonRoot, or exclude UID 0 from MustRunAs range.

Set run_as_user to MustRunAsNonRoot, or exclude UID 0 from MustRunAs range.

Example Configuration

resource "kubernetes_pod_security_policy" "allowed" {
  metadata {
    name = "terraform-example"
  }
  spec {
    privileged                 = false
    allow_privilege_escalation = false

    volumes = [
      "configMap",
      "emptyDir",
      "projected",
      "secret",
      "downwardAPI",
      "persistentVolumeClaim",
    ]

    run_as_user {
        rule = "MustRunAsNonRoot"
    }

    se_linux {
      rule = "RunAsAny"
    }

    supplemental_groups {
      rule = "MustRunAs"
      range {
        min = 1
        max = 65535
      }
    }

    fs_group {
      rule = "MustRunAs"
      range {
        min = 1
        max = 65535
      }
    }

    read_only_root_filesystem = true
  }
}
resource "kubernetes_pod_security_policy" "allowed2" {
  metadata {
    name = "terraform-example635"
  }
  spec {
    privileged                 = false
    allow_privilege_escalation = false

    volumes = [
      "configMap",
      "emptyDir",
      "projected",
      "secret",
      "downwardAPI",
      "persistentVolumeClaim",
    ]

    run_as_user {
        rule = "MustRunAs"
        range {
          min = 1
          max = 65535
        }
    }

    se_linux {
      rule = "RunAsAny"
    }

    supplemental_groups {
      rule = "MustRunAs"
      range {
        min = 1
        max = 65535
      }
    }

    fs_group {
      rule = "MustRunAs"
      range {
        min = 1
        max = 65535
      }
    }

    read_only_root_filesystem = true
  }
}

Terraform

kubernetes_pod_security_policy

References

users-and-groups