yaml.kubernetes.security.run-as-non-root.run-as-non-root
semgrepAuthor
418
Download Count*
License
When running containers in Kubernetes, it's important to ensure that they are properly secured to prevent privilege escalation attacks. One potential vulnerability is when a container is allowed to run applications as the root user, which could allow an attacker to gain access to sensitive resources. To mitigate this risk, it's recommended to add a securityContext to the container, with the parameter runAsNonRoot set to true. This will ensure that the container runs as a non-root user, limiting the damage that could be caused by any potential attacks. By adding a securityContext to the container in your Kubernetes pod, you can help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks.
Run Locally
Run in CI
Defintion
rules:
- id: run-as-non-root
patterns:
- pattern-inside: |
$SPEC:
...
containers:
...
...
- metavariable-regex:
metavariable: $SPEC
regex: ^(spec)$
- pattern-not-inside: |
spec:
...
securityContext:
...
...
- pattern-inside: |
$SPEC:
...
containers:
...
- pattern-not-inside: |
$SPEC:
...
containers:
...
- name: $NAME
image: ...
...
securityContext:
...
runAsNonRoot: $VALUE
- focus-metavariable: $SPEC
fix: |
$SPEC:
securityContext:
runAsNonRoot: true #
message: When running containers in Kubernetes, it's important to ensure that
they are properly secured to prevent privilege escalation attacks. One
potential vulnerability is when a container is allowed to
run applications as the root user, which could allow an attacker to
gain access to sensitive resources. To mitigate this risk, it's
recommended to add a `securityContext` to the container, with the
parameter `runAsNonRoot` set to `true`. This will ensure that the
container runs as a non-root user, limiting the damage that could be
caused by any potential attacks. By adding a `securityContext` to the
container in your Kubernetes pod, you can help to ensure that your
containerized applications are more secure and less vulnerable to
privilege escalation attacks.
metadata:
references:
- https://kubernetes.io/blog/2016/08/security-best-practices-kubernetes-deployment/
- https://kubernetes.io/docs/concepts/policy/pod-security-policy/
- https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-2-set-a-user
category: security
cwe:
- "CWE-250: Execution with Unnecessary Privileges"
owasp:
- A05:2021 - Security Misconfiguration
- A06:2017 - Security Misconfiguration
technology:
- kubernetes
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Improper Authorization
languages:
- yaml
severity: INFO
Examples
run-as-non-root.test.yaml
---
apiVersion: v1
kind: Pod
# ruleid: run-as-non-root
spec:
containers:
- name: nginx
image: nginx
- name: postgres
image: postgres
securityContext:
runAsUser: 1000
runAsGroup: 3000
fsGroup: 2000
- name: haproxy
image: haproxy
---
apiVersion: v1
kind: Pod
# this is ok because runAsNonRoot defined at container level: fix other containers at that level
# ok: run-as-non-root
spec:
containers:
- name: nginx
image: nginx
- name: postgres
image: postgres
securityContext:
runAsUser: 1000
runAsGroup: 3000
fsGroup: 2000
- name: haproxy
image: haproxy
securityContext:
runAsNonRoot: true
---
apiVersion: v1
kind: Pod
spec:
# this is ok because securityContext defined at pod level already: different fix needed
# ok: run-as-non-root
securityContext:
runAsGroup: 3000
containers:
- name: nginx
image: nginx
- name: postgres
image: postgres
securityContext:
runAsUser: 1000
runAsGroup: 3000
fsGroup: 2000
- name: haproxy
image: haproxy
---
apiVersion: v1
kind: Pod
spec:
# this is ok because runAsNonRoot defined at pod level already
# ok: run-as-non-root
securityContext:
runAsNonRoot: true
containers:
- name: nginx
image: nginx
- name: postgres
image: postgres
securityContext:
runAsUser: 1000
runAsGroup: 3000
fsGroup: 2000
- name: haproxy
image: haproxy
Short Link: https://sg.run/dgP5