yaml.kubernetes.security.run-as-non-root-unsafe-value.run-as-non-root-unsafe-value
semgrepWhen running containers in Kubernetes, it's important to ensure that they are properly secured to prevent privilege escalation attacks. One potential vulnerability is when a container is allowed to run applications as the root user, which could allow an attacker to gain access to sensitive resources. To mitigate this risk, it's recommended to add a securityContext to the container, with the parameter runAsNonRoot set to true. This will ensure that the container runs as a non-root user, limiting the damage that could be caused by any potential attacks. By adding a securityContext to the container in your Kubernetes pod, you can help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks.
Run Locally
Run in CI
Defintion
rules:
- id: run-as-non-root-unsafe-value
patterns:
- pattern-either:
- pattern: |
spec:
...
securityContext:
...
runAsNonRoot: $VALUE
- patterns:
- pattern-inside: |
containers:
...
- pattern: |
image: ...
...
securityContext:
...
runAsNonRoot: $VALUE
- metavariable-pattern:
metavariable: $VALUE
pattern: |
false
- focus-metavariable: $VALUE
fix: |
true
message: When running containers in Kubernetes, it's important to ensure that
they are properly secured to prevent privilege escalation attacks. One
potential vulnerability is when a container is allowed to
run applications as the root user, which could allow an attacker to
gain access to sensitive resources. To mitigate this risk, it's
recommended to add a `securityContext` to the container, with the
parameter `runAsNonRoot` set to `true`. This will ensure that the
container runs as a non-root user, limiting the damage that could be
caused by any potential attacks. By adding a `securityContext` to the
container in your Kubernetes pod, you can help to ensure that your
containerized applications are more secure and less vulnerable to
privilege escalation attacks.
metadata:
references:
- https://kubernetes.io/blog/2016/08/security-best-practices-kubernetes-deployment/
- https://kubernetes.io/docs/concepts/policy/pod-security-policy/
- https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-2-set-a-user
cwe:
- "CWE-250: Execution with Unnecessary Privileges"
owasp:
- A05:2021 - Security Misconfiguration
- A06:2017 - Security Misconfiguration
category: security
technology:
- kubernetes
subcategory:
- audit
likelihood: MEDIUM
impact: HIGH
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Improper Authorization
languages:
- yaml
severity: INFO
Examples
run-as-non-root-unsafe-value.test.yaml
---
apiVersion: v1
kind: Pod
spec:
containers:
- name: redis
image: redis
securityContext:
# ruleid: run-as-non-root-unsafe-value
runAsNonRoot: false
- name: haproxy
image: haproxy
securityContext:
# ok: run-as-non-root-unsafe-value
runAsNonRoot: true
---
apiVersion: v1
kind: Pod
spec:
securityContext:
# ruleid: run-as-non-root-unsafe-value
runAsNonRoot: false
containers:
- name: redis
image: redis
- name: haproxy
image: haproxy
securityContext:
# ok: run-as-non-root-unsafe-value
runAsNonRoot: true
---
apiVersion: v1
kind: Pod
spec:
securityContext:
# ok: run-as-non-root-unsafe-value
runAsNonRoot: true
containers:
- name: redis
image: redis
- name: haproxy
image: haproxy
securityContext:
# ruleid: run-as-non-root-unsafe-value
runAsNonRoot: false