Forbidden policy config_error ai_generated true

Error: container has runAsNonRoot and image will run as root. PodSecurityPolicy: Privileged containers are not allowed.

ID: policy/kubernetes-podsecuritypolicy-privileged-container-blocked

Also available as: JSON · Markdown · 中文
82%Fix Rate
86%Confidence
1Evidence
2023-12-05First Seen

Version Compatibility

VersionStatusIntroducedDeprecatedNotes
Kubernetes 1.24 active
kubectl 1.28 active

Root Cause

Kubernetes PodSecurityPolicy (or OPA/Gatekeeper) rejects a pod because the container image runs as root but the security context requires non-root, or the container is privileged.

generic

中文

Kubernetes PodSecurityPolicy(或 OPA/Gatekeeper)拒绝 Pod,因为容器镜像以 root 身份运行,但安全上下文要求非 root,或者容器是特权的。

Official Documentation

https://kubernetes.io/docs/concepts/security/pod-security-policy/

Workarounds

  1. 85% success Modify the container image to run as a non-root user. Add a USER directive in the Dockerfile: 'FROM node:18-alpine USER node' then rebuild and push the image. 
    Modify the container image to run as a non-root user. Add a USER directive in the Dockerfile: 'FROM node:18-alpine USER node' then rebuild and push the image.
  2. 80% success Set a specific runAsUser in the pod security context that matches a non-root user in the image: 'securityContext: runAsUser: 1000' (ensure user 1000 exists in the image). 
    Set a specific runAsUser in the pod security context that matches a non-root user in the image: 'securityContext: runAsUser: 1000' (ensure user 1000 exists in the image).
  3. 70% success Request an exception from the cluster administrator to allow the privileged container. This may involve creating a RoleBinding or ClusterRoleBinding that grants access to a less restrictive PSP. 
    Request an exception from the cluster administrator to allow the privileged container. This may involve creating a RoleBinding or ClusterRoleBinding that grants access to a less restrictive PSP.

中文步骤

  1. Modify the container image to run as a non-root user. Add a USER directive in the Dockerfile: 'FROM node:18-alpine USER node' then rebuild and push the image.
  2. Set a specific runAsUser in the pod security context that matches a non-root user in the image: 'securityContext: runAsUser: 1000' (ensure user 1000 exists in the image).
  3. Request an exception from the cluster administrator to allow the privileged container. This may involve creating a RoleBinding or ClusterRoleBinding that grants access to a less restrictive PSP.

Dead Ends

Common approaches that don't work:

  1. Set 'runAsNonRoot: false' in the pod security context. 70% fail

    The PodSecurityPolicy may still block the pod if it requires non-root. The policy is enforced regardless of the pod's security context.

  2. Remove the security context entirely and let the image run as root. 80% fail

    The PodSecurityPolicy may have a rule that requires non-root, so removing the context doesn't bypass the policy; it may default to the image's user, which is root.

  3. Use a different namespace where the policy is not applied. 60% fail

    PodSecurityPolicies are cluster-scoped or namespace-scoped depending on configuration. If cluster-scoped, all namespaces are affected. Even if namespace-scoped, the policy may still apply to the target namespace.