# Error: container has runAsNonRoot and image will run as root. PodSecurityPolicy: Privileged containers are not allowed. - **ID:** `policy/kubernetes-podsecuritypolicy-privileged-container-blocked` - **Domain:** policy - **Category:** config_error - **Error Code:** `Forbidden` - **Verification:** ai_generated - **Fix Rate:** 82% ## Root Cause Kubernetes PodSecurityPolicy (or OPA/Gatekeeper) rejects a pod because the container image runs as root but the security context requires non-root, or the container is privileged. ## Version Compatibility | Version | Status | Introduced | Deprecated | |---------|--------|------------|------------| | Kubernetes 1.24 | active | — | — | | kubectl 1.28 | active | — | — | ## Workarounds 1. **Modify the container image to run as a non-root user. Add a USER directive in the Dockerfile: 'FROM node:18-alpine USER node' then rebuild and push the image.** (85% success) ``` Modify the container image to run as a non-root user. Add a USER directive in the Dockerfile: 'FROM node:18-alpine USER node' then rebuild and push the image. ``` 2. **Set a specific runAsUser in the pod security context that matches a non-root user in the image: 'securityContext: runAsUser: 1000' (ensure user 1000 exists in the image).** (80% success) ``` Set a specific runAsUser in the pod security context that matches a non-root user in the image: 'securityContext: runAsUser: 1000' (ensure user 1000 exists in the image). ``` 3. **Request an exception from the cluster administrator to allow the privileged container. This may involve creating a RoleBinding or ClusterRoleBinding that grants access to a less restrictive PSP.** (70% success) ``` Request an exception from the cluster administrator to allow the privileged container. This may involve creating a RoleBinding or ClusterRoleBinding that grants access to a less restrictive PSP. ``` ## Dead Ends - **Set 'runAsNonRoot: false' in the pod security context.** — The PodSecurityPolicy may still block the pod if it requires non-root. The policy is enforced regardless of the pod's security context. (70% fail) - **Remove the security context entirely and let the image run as root.** — The PodSecurityPolicy may have a rule that requires non-root, so removing the context doesn't bypass the policy; it may default to the image's user, which is root. (80% fail) - **Use a different namespace where the policy is not applied.** — PodSecurityPolicies are cluster-scoped or namespace-scoped depending on configuration. If cluster-scoped, all namespaces are affected. Even if namespace-scoped, the policy may still apply to the target namespace. (60% fail)