policy config_error ai_generated true

错误:容器具有 runAsNonRoot 且镜像将以 root 身份运行。PodSecurityPolicy:不允许特权容器。PodSecurityPolicy:不允许‘privileged’。

Error: container has runAsNonRoot and image will run as root. PodSecurityPolicy: Privileged containers are not allowed. PodSecurityPolicy: 'privileged' is not allowed.

ID: policy/kubernetes-pod-security-policy-privileged-escalation

其他格式: JSON · Markdown 中文 · English
80%修复率
88%置信度
1证据数
2023-07-05首次发现

版本兼容性

版本状态引入弃用备注
Kubernetes 1.20-1.24 (PSP) active
Kubernetes 1.25+ (PSA) active
OpenShift 4.x active

根因分析

命名空间中的 PodSecurityPolicy(或 Pod 安全准入)拒绝特权容器,但容器镜像需要 root 权限(例如默认以 root 身份运行),并且 pod 规范未设置 `runAsNonRoot: true` 或 `securityContext.runAsUser` 为非 root 用户。

English

The PodSecurityPolicy (or Pod Security Admission) in the namespace denies privileged containers, but the container image requires root privileges (e.g., runs as root by default), and the pod spec does not set `runAsNonRoot: true` or `securityContext.runAsUser` to a non-root user.

generic

官方文档

https://kubernetes.io/docs/concepts/security/pod-security-standards/

解决方案

  1. 修改容器镜像以非 root 用户身份运行,或在 pod 规范中使用 securityContext 将 runAsUser 设置为非 root 用户(例如 1000)并将 runAsNonRoot 设置为 true。示例 YAML:`securityContext: { runAsUser: 1000, runAsNonRoot: true }`。还要确保镜像不需要 root 文件系统访问。
  2. 如果无法更改镜像,请创建一个允许特权容器的自定义 PodSecurityPolicy 并将其绑定到命名空间。使用 `kubectl create psp privileged-psp --privileged`,然后创建一个 RoleBinding 或 ClusterRoleBinding 以向服务帐户授予对 PSP 的 `use` 动词。
  3. 升级到 Kubernetes 1.25+ 并使用 Pod 安全准入(PSA)代替已弃用的 PSP。使用允许特权 pod 的 PSA 标签配置命名空间:`kubectl label namespace my-ns pod-security.kubernetes.io/enforce=privileged`。

无效尝试

常见但无效的做法:

  1. 90% 失败

    The PodSecurityPolicy explicitly denies privileged containers. Setting privileged=true will cause the pod to be rejected by the admission controller.

  2. 70% 失败

    The error indicates that the policy requires non-root, but the image runs as root. Removing runAsNonRoot does not change the image's behavior; the pod will still be rejected because the policy checks the effective user.

  3. 80% 失败

    Setting runAsUser to 0 (root) conflicts with the policy's requirement for non-root containers. The admission controller will reject the pod.