Error: container has runAsNonRoot and image will run as root. PodSecurityPolicy: Privileged containers are not allowed
ID: policy/kubernetes-pod-security-policy-privileged-container
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| Kubernetes v1.25+ with Pod Security Admission | active | — | — | — |
| Kubernetes v1.21-1.24 with PodSecurityPolicy | active | — | — | — |
| kubectl v1.28 | active | — | — | — |
| Docker 24.0 | active | — | — | — |
Root Cause
Kubernetes PodSecurityPolicy (or Pod Security Admission) rejects the pod because the container's security context conflicts with the policy, specifically the image runs as root but the policy requires non-root, or the container requests privileged mode.
generic中文
Kubernetes PodSecurityPolicy(或Pod安全准入)拒绝该Pod,因为容器的安全上下文与策略冲突,具体来说,镜像以root运行但策略要求非root,或者容器请求特权模式。
Official Documentation
https://kubernetes.io/docs/concepts/security/pod-security-standards/Workarounds
-
85% success Modify the container image to run as a non-root user by adding a USER directive in the Dockerfile and ensuring file permissions are correct: FROM nginx:alpine; RUN addgroup -S appgroup && adduser -S appuser -G appgroup; USER appuser
Modify the container image to run as a non-root user by adding a USER directive in the Dockerfile and ensuring file permissions are correct: FROM nginx:alpine; RUN addgroup -S appgroup && adduser -S appuser -G appgroup; USER appuser
-
80% success If the image cannot be changed, update the namespace's Pod Security Admission labels to a more permissive level: kubectl label namespace my-namespace pod-security.kubernetes.io/enforce=baseline --overwrite (or 'privileged' for full access)
If the image cannot be changed, update the namespace's Pod Security Admission labels to a more permissive level: kubectl label namespace my-namespace pod-security.kubernetes.io/enforce=baseline --overwrite (or 'privileged' for full access)
-
75% success For clusters with PodSecurityPolicy (deprecated), create a custom PSP that allows the specific container's security context: apiVersion: policy/v1beta1; kind: PodSecurityPolicy; metadata: {name: custom-psp}; spec: {privileged: true, runAsUser: {rule: RunAsAny}}
For clusters with PodSecurityPolicy (deprecated), create a custom PSP that allows the specific container's security context: apiVersion: policy/v1beta1; kind: PodSecurityPolicy; metadata: {name: custom-psp}; spec: {privileged: true, runAsUser: {rule: RunAsAny}}
中文步骤
修改容器镜像以非root用户运行,在Dockerfile中添加USER指令并确保文件权限正确:FROM nginx:alpine; RUN addgroup -S appgroup && adduser -S appuser -G appgroup; USER appuser
如果镜像无法更改,将命名空间的Pod安全准入标签更新为更宽松的级别:kubectl label namespace my-namespace pod-security.kubernetes.io/enforce=baseline --overwrite(或'privileged'以获得完全访问)
对于使用PodSecurityPolicy(已弃用)的集群,创建允许特定容器安全上下文的自定义PSP:apiVersion: policy/v1beta1; kind: PodSecurityPolicy; metadata: {name: custom-psp}; spec: {privileged: true, runAsUser: {rule: RunAsAny}}
Dead Ends
Common approaches that don't work:
-
80% fail
If the policy enforces runAsNonRoot, setting it to false will still be rejected; the policy must be changed or the image must be fixed.
-
50% fail
If the base image runs a process as root by default (e.g., nginx:latest), simply adding a USER directive may not work if the process requires root permissions.
-
30% fail
This weakens cluster security and may violate compliance; also, on newer clusters using Pod Security Admission, the policy is enforced at the namespace level via labels.