Forbidden
policy
config_error
ai_generated
true
Error: container has runAsNonRoot and image will run as root
ID: policy/kubernetes-podsecuritypolicy-privileged-container
85%Fix Rate
88%Confidence
1Evidence
2024-02-15First Seen
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| Kubernetes v1.24+ | active | — | — | — |
| PodSecurity admission v1.25+ | active | — | — | — |
| OPA Gatekeeper v3.10+ | active | — | — | — |
Root Cause
Kubernetes PodSecurityPolicy or OPA Gatekeeper enforces that containers cannot run as root, but the container image's default user is root and no securityContext.runAsUser is set.
generic中文
Kubernetes PodSecurityPolicy 或 OPA Gatekeeper 强制要求容器不能以 root 运行,但容器镜像的默认用户是 root,且未设置 securityContext.runAsUser。
Official Documentation
https://kubernetes.io/docs/concepts/security/pod-security-standards/Workarounds
-
85% success Set securityContext.runAsUser to a non-root user ID (e.g., 1000) and ensure the image supports it.
Set securityContext.runAsUser to a non-root user ID (e.g., 1000) and ensure the image supports it.
-
90% success Rebuild the container image to use a non-root USER directive in the Dockerfile.
Rebuild the container image to use a non-root USER directive in the Dockerfile.
中文步骤
在 Pod spec 中设置 securityContext.runAsUser 为非 root 用户 ID(例如 1000),并确保镜像支持。
重建容器镜像,在 Dockerfile 中使用非 root USER 指令。
Dead Ends
Common approaches that don't work:
-
70% fail
This violates the PodSecurityPolicy baseline/restricted profile, causing the admission controller to reject the Pod entirely.
-
90% fail
Privileged containers are explicitly denied by restricted policies and also violate security best practices.