# Error: container has runAsNonRoot and image will run as root. PodSecurityPolicy: Privileged containers are not allowed. PodSecurityPolicy: 'privileged' is not allowed.

- **ID:** `policy/kubernetes-pod-security-policy-privileged-escalation`
- **Domain:** policy
- **Category:** config_error
- **Verification:** ai_generated
- **Fix Rate:** 80%

## Root Cause

The PodSecurityPolicy (or Pod Security Admission) in the namespace denies privileged containers, but the container image requires root privileges (e.g., runs as root by default), and the pod spec does not set `runAsNonRoot: true` or `securityContext.runAsUser` to a non-root user.

## Version Compatibility

| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| Kubernetes 1.20-1.24 (PSP) | active | — | — |
| Kubernetes 1.25+ (PSA) | active | — | — |
| OpenShift 4.x | active | — | — |

## Workarounds

1. **Modify the container image to run as a non-root user, or use a securityContext in the pod spec to set runAsUser to a non-root user (e.g., 1000) and runAsNonRoot to true. Example YAML: `securityContext: { runAsUser: 1000, runAsNonRoot: true }`. Also ensure the image does not require root filesystem access.** (85% success)
   ```
   Modify the container image to run as a non-root user, or use a securityContext in the pod spec to set runAsUser to a non-root user (e.g., 1000) and runAsNonRoot to true. Example YAML: `securityContext: { runAsUser: 1000, runAsNonRoot: true }`. Also ensure the image does not require root filesystem access.
   ```
2. **If the image cannot be changed, create a custom PodSecurityPolicy that allows privileged containers and bind it to the namespace. Use `kubectl create psp privileged-psp --privileged` and then create a RoleBinding or ClusterRoleBinding to grant the `use` verb on the PSP to the service account.** (70% success)
   ```
   If the image cannot be changed, create a custom PodSecurityPolicy that allows privileged containers and bind it to the namespace. Use `kubectl create psp privileged-psp --privileged` and then create a RoleBinding or ClusterRoleBinding to grant the `use` verb on the PSP to the service account.
   ```
3. **Upgrade to Kubernetes 1.25+ and use Pod Security Admission (PSA) instead of PSP, which is deprecated. Configure the namespace with a PSA label that allows privileged pods: `kubectl label namespace my-ns pod-security.kubernetes.io/enforce=privileged`.** (80% success)
   ```
   Upgrade to Kubernetes 1.25+ and use Pod Security Admission (PSA) instead of PSP, which is deprecated. Configure the namespace with a PSA label that allows privileged pods: `kubectl label namespace my-ns pod-security.kubernetes.io/enforce=privileged`.
   ```

## Dead Ends

- **** — The PodSecurityPolicy explicitly denies privileged containers. Setting privileged=true will cause the pod to be rejected by the admission controller. (90% fail)
- **** — The error indicates that the policy requires non-root, but the image runs as root. Removing runAsNonRoot does not change the image's behavior; the pod will still be rejected because the policy checks the effective user. (70% fail)
- **** — Setting runAsUser to 0 (root) conflicts with the policy's requirement for non-root containers. The admission controller will reject the pod. (80% fail)