{
  "id": "policy/kubernetes-podsecuritypolicy-privileged-container-blocked",
  "signature": "Error: container has runAsNonRoot and image will run as root. PodSecurityPolicy: Privileged containers are not allowed.",
  "signature_zh": "错误：容器设置了 runAsNonRoot，但镜像将以 root 身份运行。PodSecurityPolicy：不允许特权容器。",
  "regex": "container has runAsNonRoot and image will run as root\\. PodSecurityPolicy: Privileged containers are not allowed\\.",
  "domain": "policy",
  "category": "config_error",
  "subcategory": null,
  "root_cause": "Kubernetes PodSecurityPolicy (or OPA/Gatekeeper) rejects a pod because the container image runs as root but the security context requires non-root, or the container is privileged.",
  "root_cause_type": "generic",
  "root_cause_zh": "Kubernetes PodSecurityPolicy（或 OPA/Gatekeeper）拒绝 Pod，因为容器镜像以 root 身份运行，但安全上下文要求非 root，或者容器是特权的。",
  "versions": [
    {
      "version": "Kubernetes 1.24",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "kubectl 1.28",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    }
  ],
  "os_specific": {},
  "dead_ends": [
    {
      "action": "Set 'runAsNonRoot: false' in the pod security context.",
      "why_fails": "The PodSecurityPolicy may still block the pod if it requires non-root. The policy is enforced regardless of the pod's security context.",
      "fail_rate": 0.7,
      "condition": "",
      "sources": []
    },
    {
      "action": "Remove the security context entirely and let the image run as root.",
      "why_fails": "The PodSecurityPolicy may have a rule that requires non-root, so removing the context doesn't bypass the policy; it may default to the image's user, which is root.",
      "fail_rate": 0.8,
      "condition": "",
      "sources": []
    },
    {
      "action": "Use a different namespace where the policy is not applied.",
      "why_fails": "PodSecurityPolicies are cluster-scoped or namespace-scoped depending on configuration. If cluster-scoped, all namespaces are affected. Even if namespace-scoped, the policy may still apply to the target namespace.",
      "fail_rate": 0.6,
      "condition": "",
      "sources": []
    }
  ],
  "workarounds": [
    {
      "action": "Modify the container image to run as a non-root user. Add a USER directive in the Dockerfile: 'FROM node:18-alpine USER node' then rebuild and push the image.",
      "success_rate": 0.85,
      "how": "Modify the container image to run as a non-root user. Add a USER directive in the Dockerfile: 'FROM node:18-alpine USER node' then rebuild and push the image.",
      "condition": "",
      "sources": []
    },
    {
      "action": "Set a specific runAsUser in the pod security context that matches a non-root user in the image: 'securityContext: runAsUser: 1000' (ensure user 1000 exists in the image).",
      "success_rate": 0.8,
      "how": "Set a specific runAsUser in the pod security context that matches a non-root user in the image: 'securityContext: runAsUser: 1000' (ensure user 1000 exists in the image).",
      "condition": "",
      "sources": []
    },
    {
      "action": "Request an exception from the cluster administrator to allow the privileged container. This may involve creating a RoleBinding or ClusterRoleBinding that grants access to a less restrictive PSP.",
      "success_rate": 0.7,
      "how": "Request an exception from the cluster administrator to allow the privileged container. This may involve creating a RoleBinding or ClusterRoleBinding that grants access to a less restrictive PSP.",
      "condition": "",
      "sources": []
    }
  ],
  "workarounds_zh": [
    "Modify the container image to run as a non-root user. Add a USER directive in the Dockerfile: 'FROM node:18-alpine USER node' then rebuild and push the image.",
    "Set a specific runAsUser in the pod security context that matches a non-root user in the image: 'securityContext: runAsUser: 1000' (ensure user 1000 exists in the image).",
    "Request an exception from the cluster administrator to allow the privileged container. This may involve creating a RoleBinding or ClusterRoleBinding that grants access to a less restrictive PSP."
  ],
  "transition_graph": {
    "leads_to": [],
    "preceded_by": [],
    "frequently_confused_with": []
  },
  "official_doc_url": "https://kubernetes.io/docs/concepts/security/pod-security-policy/",
  "official_doc_section": null,
  "error_code": "Forbidden",
  "verification_tier": "ai_generated",
  "confidence": 0.86,
  "fix_success_rate": 0.82,
  "resolvable": "true",
  "first_seen": "2023-12-05",
  "last_confirmed": "2024-06-01",
  "last_updated": "2024-06-01",
  "evidence_count": 1,
  "tags": [],
  "locale": "en",
  "aliases": []
}