{
  "id": "policy/kubernetes-pod-security-policy-privileged-container",
  "signature": "Error: container has runAsNonRoot and image will run as root. PodSecurityPolicy: Privileged containers are not allowed",
  "signature_zh": "错误：容器设置了runAsNonRoot但镜像将以root运行。PodSecurityPolicy：不允许特权容器",
  "regex": "container has runAsNonRoot and image will run as root|Privileged containers are not allowed",
  "domain": "policy",
  "category": "runtime_error",
  "subcategory": null,
  "root_cause": "Kubernetes PodSecurityPolicy (or Pod Security Admission) rejects the pod because the container's security context conflicts with the policy, specifically the image runs as root but the policy requires non-root, or the container requests privileged mode.",
  "root_cause_type": "generic",
  "root_cause_zh": "Kubernetes PodSecurityPolicy（或Pod安全准入）拒绝该Pod，因为容器的安全上下文与策略冲突，具体来说，镜像以root运行但策略要求非root，或者容器请求特权模式。",
  "versions": [
    {
      "version": "Kubernetes v1.25+ with Pod Security Admission",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "Kubernetes v1.21-1.24 with PodSecurityPolicy",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "kubectl v1.28",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "Docker 24.0",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    }
  ],
  "os_specific": {},
  "dead_ends": [
    {
      "action": "",
      "why_fails": "If the policy enforces runAsNonRoot, setting it to false will still be rejected; the policy must be changed or the image must be fixed.",
      "fail_rate": 0.8,
      "condition": "",
      "sources": []
    },
    {
      "action": "",
      "why_fails": "If the base image runs a process as root by default (e.g., nginx:latest), simply adding a USER directive may not work if the process requires root permissions.",
      "fail_rate": 0.5,
      "condition": "",
      "sources": []
    },
    {
      "action": "",
      "why_fails": "This weakens cluster security and may violate compliance; also, on newer clusters using Pod Security Admission, the policy is enforced at the namespace level via labels.",
      "fail_rate": 0.3,
      "condition": "",
      "sources": []
    }
  ],
  "workarounds": [
    {
      "action": "Modify the container image to run as a non-root user by adding a USER directive in the Dockerfile and ensuring file permissions are correct: FROM nginx:alpine; RUN addgroup -S appgroup && adduser -S appuser -G appgroup; USER appuser",
      "success_rate": 0.85,
      "how": "Modify the container image to run as a non-root user by adding a USER directive in the Dockerfile and ensuring file permissions are correct: FROM nginx:alpine; RUN addgroup -S appgroup && adduser -S appuser -G appgroup; USER appuser",
      "condition": "",
      "sources": []
    },
    {
      "action": "If the image cannot be changed, update the namespace's Pod Security Admission labels to a more permissive level: kubectl label namespace my-namespace pod-security.kubernetes.io/enforce=baseline --overwrite (or 'privileged' for full access)",
      "success_rate": 0.8,
      "how": "If the image cannot be changed, update the namespace's Pod Security Admission labels to a more permissive level: kubectl label namespace my-namespace pod-security.kubernetes.io/enforce=baseline --overwrite (or 'privileged' for full access)",
      "condition": "",
      "sources": []
    },
    {
      "action": "For clusters with PodSecurityPolicy (deprecated), create a custom PSP that allows the specific container's security context: apiVersion: policy/v1beta1; kind: PodSecurityPolicy; metadata: {name: custom-psp}; spec: {privileged: true, runAsUser: {rule: RunAsAny}}",
      "success_rate": 0.75,
      "how": "For clusters with PodSecurityPolicy (deprecated), create a custom PSP that allows the specific container's security context: apiVersion: policy/v1beta1; kind: PodSecurityPolicy; metadata: {name: custom-psp}; spec: {privileged: true, runAsUser: {rule: RunAsAny}}",
      "condition": "",
      "sources": []
    }
  ],
  "workarounds_zh": [
    "修改容器镜像以非root用户运行，在Dockerfile中添加USER指令并确保文件权限正确：FROM nginx:alpine; RUN addgroup -S appgroup && adduser -S appuser -G appgroup; USER appuser",
    "如果镜像无法更改，将命名空间的Pod安全准入标签更新为更宽松的级别：kubectl label namespace my-namespace pod-security.kubernetes.io/enforce=baseline --overwrite（或'privileged'以获得完全访问）",
    "对于使用PodSecurityPolicy（已弃用）的集群，创建允许特定容器安全上下文的自定义PSP：apiVersion: policy/v1beta1; kind: PodSecurityPolicy; metadata: {name: custom-psp}; spec: {privileged: true, runAsUser: {rule: RunAsAny}}"
  ],
  "transition_graph": {
    "leads_to": [],
    "preceded_by": [],
    "frequently_confused_with": []
  },
  "official_doc_url": "https://kubernetes.io/docs/concepts/security/pod-security-standards/",
  "official_doc_section": null,
  "error_code": null,
  "verification_tier": "ai_generated",
  "confidence": 0.9,
  "fix_success_rate": 0.85,
  "resolvable": "true",
  "first_seen": "2023-05-20",
  "last_confirmed": "2024-06-01",
  "last_updated": "2024-06-01",
  "evidence_count": 1,
  "tags": [],
  "locale": "en",
  "aliases": []
}