Profile Applicability:
Level 1
Description:
Running containers as the root user can expose your system to unnecessary security risks. This check ensures that containers are not allowed to run as the root user unless absolutely required, minimizing the risk of privilege escalation and container breakout attacks. By applying this policy, containers will be restricted to running with non-root users, enhancing overall cluster security.
Rationale:
Containers running as the root user have elevated privileges, allowing them to potentially modify critical system files or gain access to sensitive resources. This increases the risk of a container breach leading to compromise of the entire system. By ensuring containers run as non-root users, you limit the attack surface and ensure better isolation of container workloads.
Impact:
Pros:
Reduces the risk of privilege escalation and container breakouts.
Enhances security by enforcing the least privilege principle.
Prevents containers from having excessive control over the host system.
Cons:
Some workloads may require root access to perform specific actions, such as binding to privileged ports or accessing system resources.
May require updates to existing workloads to ensure they run as non-root users.
Default Value:
By default, Kubernetes containers may run as the root user unless specified otherwise in the Pod security context.
Pre-requisites:
Ensure that PodSecurityPolicies (PSPs) or other admission controllers are configured to prevent containers from running as the root user.
Test Plan:
Using Azure Console:
Navigate to the Azure portal and access your Azure Kubernetes Service (AKS) cluster.
Review the Pod specifications and check the securityContext for containers.
Ensure that runAsUser is specified to a non-root user (e.g., runAsUser: 1000) and that runAsNonRoot is set to true for all containers.
Using Azure CLI:
Use the following command to check if containers are running as root:
kubectl get pods --all-namespaces -o=jsonpath='{.items[*].spec.containers[*].securityContext.runAsUser}'Ensure that the runAsUser field is set to a non-root value, such as 1000, for all containers.
Verify that runAsNonRoot is set to true:
kubectl get pods --all-namespaces -o=jsonpath='{.items[*].spec.containers[*].securityContext.runAsNonRoot}'
Implementation Plan:
Using Azure Console:
In the Azure portal, go to Azure Kubernetes Service (AKS) and navigate to Pod specifications.
Update the security context to run containers as non-root users:
Add runAsUser: 1000 (or another non-root UID) to the Pod or Deployment specification.
Ensure runAsNonRoot: true is set to prevent the container from running as root.
Example configuration:
securityContext: runAsUser: 1000 runAsNonRoot: true
Apply these configurations across all Pod specifications to ensure containers run as non-root users.
Using Azure CLI:
To configure a Pod or Deployment to use a non-root user, modify the security context in the YAML file:
securityContext: runAsUser: 1000 runAsNonRoot: true
Apply the updated Pod specification:
kubectl apply -f pod-spec.yaml
If editing an existing deployment to ensure non-root usage, use
kubectl edit deployment <deployment-name> --namespace=<namespace-name>
and add the securityContext fields as shown above.
Backout Plan:
Using Azure Console:
If restricting root containers causes issues, revert the changes by modifying the Pod security context to allow root user access or removing the non-root user configurations.
Using Azure CLI:
Revert the Pod specification by removing the runAsUser and runAsNonRoot settings or setting runAsUser: 0 to allow containers to run as root:
securityContext: runAsUser: 0 runAsNonRoot: false
Apply the updated configuration:
kubectl apply -f pod-spec.yaml
References:
Kubernetes Security Context Documentation
Kubernetes PodSecurityPolicy Documentation