Container running as root

문서 > Datadog 보안 > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Container running as root

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

Id: cf34805e-3872-4c08-bf92-6ff7bb0cfadb

Cloud Provider: k8s

Framework: Kubernetes

Severity: Medium

Category: Best Practices

Learn More

Provider Reference

Description

Containers should run only as a non-root user. This limits the exploitability of security misconfigurations and restricts an attacker’s options in case of compromise.

Compliant Code Examples

apiVersion: v1
kind: Pod
metadata:
  name: security-context-demo-2
spec:
  securityContext:
    runAsUser: 10000
    runAsNonRoot: true
  containers:
  - name: sec-ctx-demo-2
    image: gcr.io/google-samples/node-hello:1.0
    securityContext:
      runAsUser: 10100
      allowPrivilegeEscalation: false
      runAsNonRoot: true

apiVersion: v1
kind: Pod
metadata:
  name: security-context-demo-1
spec:
  securityContext:
    runAsUser: 1000
    runAsNonRoot: true
  containers:
  - name: sec-ctx-demo-100
    image: gcr.io/google-samples/node-hello:1.0
    securityContext:
      runAsUser: 1000
      runAsNonRoot: false
  - name: sec-ctx-demo-200
    image: gcr.io/google-samples/node-hedwfwllo:1.0
    securityContext:
      runAsUser: 2000
      runAsNonRoot: true

apiVersion: v1
kind: Pod
metadata:
  name: containers-runs-as-root
spec:
  securityContext:
    runAsUser: 0
    runAsNonRoot: false
  containers:
  - name: sec-ctx-demo-100
    image: gcr.io/google-samples/node-hello:1.0
    securityContext:
      runAsUser: 1000
      runAsNonRoot: false

Non-Compliant Code Examples

apiVersion: v1
kind: Pod
metadata:
  name: security-context-demo-2
spec:
  securityContext:
    runAsUser: 10
    runAsNonRoot: false
  containers:
  - name: sec-ctx-demo-100
    image: gcr.io/google-samples/node-hello:1.0
    securityContext:
      runAsUser: 0
      runAsNonRoot: false
  - name: sec-ctx-demo-200
    image: gcr.io/google-samples/node-hedwfwllo:1.0
    securityContext:
      runAsUser: 0
      runAsNonRoot: false

apiVersion: v1
kind: Pod
metadata:
  name: containers-runs-as-root
spec:
  securityContext:
    runAsUser: 0
    runAsNonRoot: false
  containers:
  - name: sec-ctx-demo-100
    image: gcr.io/google-samples/node-hello:1.0
    securityContext:
      runAsUser: 0
      runAsNonRoot: false

apiVersion: v1
kind: Pod
metadata:
  name: security-context-demo-2
spec:
  containers:
  - name: sec-ctx-demo-1
    image: gcr.io/google-samples/node-hello:1.0
  - name: sec-ctx-demo-2
    image: gcr.io/google-samples/node-hello:1.0
    securityContext:
      runAsUser: 0
      allowPrivilegeEscalation: false
      runAsNonRoot: false