{ "id": "policy/kubernetes-pod-security-policy-privileged-escalation", "signature": "Error: container has runAsNonRoot and image will run as root. PodSecurityPolicy: Privileged containers are not allowed. PodSecurityPolicy: 'privileged' is not allowed.", "signature_zh": "错误:容器具有 runAsNonRoot 且镜像将以 root 身份运行。PodSecurityPolicy:不允许特权容器。PodSecurityPolicy:不允许‘privileged’。", "regex": "container has runAsNonRoot and image will run as root\\. PodSecurityPolicy: Privileged containers are not allowed\\.", "domain": "policy", "category": "config_error", "subcategory": null, "root_cause": "The PodSecurityPolicy (or Pod Security Admission) in the namespace denies privileged containers, but the container image requires root privileges (e.g., runs as root by default), and the pod spec does not set `runAsNonRoot: true` or `securityContext.runAsUser` to a non-root user.", "root_cause_type": "generic", "root_cause_zh": "命名空间中的 PodSecurityPolicy(或 Pod 安全准入)拒绝特权容器,但容器镜像需要 root 权限(例如默认以 root 身份运行),并且 pod 规范未设置 `runAsNonRoot: true` 或 `securityContext.runAsUser` 为非 root 用户。", "versions": [ { "version": "Kubernetes 1.20-1.24 (PSP)", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "Kubernetes 1.25+ (PSA)", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "OpenShift 4.x", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" } ], "os_specific": {}, "dead_ends": [ { "action": "", "why_fails": "The PodSecurityPolicy explicitly denies privileged containers. Setting privileged=true will cause the pod to be rejected by the admission controller.", "fail_rate": 0.9, "condition": "", "sources": [] }, { "action": "", "why_fails": "The error indicates that the policy requires non-root, but the image runs as root. Removing runAsNonRoot does not change the image's behavior; the pod will still be rejected because the policy checks the effective user.", "fail_rate": 0.7, "condition": "", "sources": [] }, { "action": "", "why_fails": "Setting runAsUser to 0 (root) conflicts with the policy's requirement for non-root containers. The admission controller will reject the pod.", "fail_rate": 0.8, "condition": "", "sources": [] } ], "workarounds": [ { "action": "Modify the container image to run as a non-root user, or use a securityContext in the pod spec to set runAsUser to a non-root user (e.g., 1000) and runAsNonRoot to true. Example YAML: `securityContext: { runAsUser: 1000, runAsNonRoot: true }`. Also ensure the image does not require root filesystem access.", "success_rate": 0.85, "how": "Modify the container image to run as a non-root user, or use a securityContext in the pod spec to set runAsUser to a non-root user (e.g., 1000) and runAsNonRoot to true. Example YAML: `securityContext: { runAsUser: 1000, runAsNonRoot: true }`. Also ensure the image does not require root filesystem access.", "condition": "", "sources": [] }, { "action": "If the image cannot be changed, create a custom PodSecurityPolicy that allows privileged containers and bind it to the namespace. Use `kubectl create psp privileged-psp --privileged` and then create a RoleBinding or ClusterRoleBinding to grant the `use` verb on the PSP to the service account.", "success_rate": 0.7, "how": "If the image cannot be changed, create a custom PodSecurityPolicy that allows privileged containers and bind it to the namespace. Use `kubectl create psp privileged-psp --privileged` and then create a RoleBinding or ClusterRoleBinding to grant the `use` verb on the PSP to the service account.", "condition": "", "sources": [] }, { "action": "Upgrade to Kubernetes 1.25+ and use Pod Security Admission (PSA) instead of PSP, which is deprecated. Configure the namespace with a PSA label that allows privileged pods: `kubectl label namespace my-ns pod-security.kubernetes.io/enforce=privileged`.", "success_rate": 0.8, "how": "Upgrade to Kubernetes 1.25+ and use Pod Security Admission (PSA) instead of PSP, which is deprecated. Configure the namespace with a PSA label that allows privileged pods: `kubectl label namespace my-ns pod-security.kubernetes.io/enforce=privileged`.", "condition": "", "sources": [] } ], "workarounds_zh": [ "修改容器镜像以非 root 用户身份运行,或在 pod 规范中使用 securityContext 将 runAsUser 设置为非 root 用户(例如 1000)并将 runAsNonRoot 设置为 true。示例 YAML:`securityContext: { runAsUser: 1000, runAsNonRoot: true }`。还要确保镜像不需要 root 文件系统访问。", "如果无法更改镜像,请创建一个允许特权容器的自定义 PodSecurityPolicy 并将其绑定到命名空间。使用 `kubectl create psp privileged-psp --privileged`,然后创建一个 RoleBinding 或 ClusterRoleBinding 以向服务帐户授予对 PSP 的 `use` 动词。", "升级到 Kubernetes 1.25+ 并使用 Pod 安全准入(PSA)代替已弃用的 PSP。使用允许特权 pod 的 PSA 标签配置命名空间:`kubectl label namespace my-ns pod-security.kubernetes.io/enforce=privileged`。" ], "transition_graph": { "leads_to": [], "preceded_by": [], "frequently_confused_with": [] }, "official_doc_url": "https://kubernetes.io/docs/concepts/security/pod-security-standards/", "official_doc_section": null, "error_code": null, "verification_tier": "ai_generated", "confidence": 0.88, "fix_success_rate": 0.8, "resolvable": "true", "first_seen": "2023-07-05", "last_confirmed": "2024-06-01", "last_updated": "2024-06-01", "evidence_count": 1, "tags": [], "locale": "en", "aliases": [] }