# Error: container has runAsNonRoot and image will run as root. PodSecurityPolicy: Privileged containers are not allowed

- **ID:** `policy/kubernetes-pod-security-policy-privileged-container`
- **Domain:** policy
- **Category:** runtime_error
- **Verification:** ai_generated
- **Fix Rate:** 85%

## Root Cause

Kubernetes PodSecurityPolicy (or Pod Security Admission) rejects the pod because the container's security context conflicts with the policy, specifically the image runs as root but the policy requires non-root, or the container requests privileged mode.

## Version Compatibility

| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| Kubernetes v1.25+ with Pod Security Admission | active | — | — |
| Kubernetes v1.21-1.24 with PodSecurityPolicy | active | — | — |
| kubectl v1.28 | active | — | — |
| Docker 24.0 | active | — | — |

## Workarounds

1. **Modify the container image to run as a non-root user by adding a USER directive in the Dockerfile and ensuring file permissions are correct: FROM nginx:alpine; RUN addgroup -S appgroup && adduser -S appuser -G appgroup; USER appuser** (85% success)
   ```
   Modify the container image to run as a non-root user by adding a USER directive in the Dockerfile and ensuring file permissions are correct: FROM nginx:alpine; RUN addgroup -S appgroup && adduser -S appuser -G appgroup; USER appuser
   ```
2. **If the image cannot be changed, update the namespace's Pod Security Admission labels to a more permissive level: kubectl label namespace my-namespace pod-security.kubernetes.io/enforce=baseline --overwrite (or 'privileged' for full access)** (80% success)
   ```
   If the image cannot be changed, update the namespace's Pod Security Admission labels to a more permissive level: kubectl label namespace my-namespace pod-security.kubernetes.io/enforce=baseline --overwrite (or 'privileged' for full access)
   ```
3. **For clusters with PodSecurityPolicy (deprecated), create a custom PSP that allows the specific container's security context: apiVersion: policy/v1beta1; kind: PodSecurityPolicy; metadata: {name: custom-psp}; spec: {privileged: true, runAsUser: {rule: RunAsAny}}** (75% success)
   ```
   For clusters with PodSecurityPolicy (deprecated), create a custom PSP that allows the specific container's security context: apiVersion: policy/v1beta1; kind: PodSecurityPolicy; metadata: {name: custom-psp}; spec: {privileged: true, runAsUser: {rule: RunAsAny}}
   ```

## Dead Ends

- **** — If the policy enforces runAsNonRoot, setting it to false will still be rejected; the policy must be changed or the image must be fixed. (80% fail)
- **** — If the base image runs a process as root by default (e.g., nginx:latest), simply adding a USER directive may not work if the process requires root permissions. (50% fail)
- **** — This weakens cluster security and may violate compliance; also, on newer clusters using Pod Security Admission, the policy is enforced at the namespace level via labels. (30% fail)