{
  "id": "policy/kubernetes-podsecuritypolicy-privileged-container",
  "signature": "Error: container has runAsNonRoot and image will run as root",
  "signature_zh": "错误：容器设置了 runAsNonRoot，但镜像将以 root 用户运行",
  "regex": "container has runAsNonRoot and image will run as root",
  "domain": "policy",
  "category": "config_error",
  "subcategory": null,
  "root_cause": "Kubernetes PodSecurityPolicy or OPA Gatekeeper enforces that containers cannot run as root, but the container image's default user is root and no securityContext.runAsUser is set.",
  "root_cause_type": "generic",
  "root_cause_zh": "Kubernetes PodSecurityPolicy 或 OPA Gatekeeper 强制要求容器不能以 root 运行，但容器镜像的默认用户是 root，且未设置 securityContext.runAsUser。",
  "versions": [
    {
      "version": "Kubernetes v1.24+",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "PodSecurity admission v1.25+",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "OPA Gatekeeper v3.10+",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    }
  ],
  "os_specific": {},
  "dead_ends": [
    {
      "action": "",
      "why_fails": "This violates the PodSecurityPolicy baseline/restricted profile, causing the admission controller to reject the Pod entirely.",
      "fail_rate": 0.7,
      "condition": "",
      "sources": []
    },
    {
      "action": "",
      "why_fails": "Privileged containers are explicitly denied by restricted policies and also violate security best practices.",
      "fail_rate": 0.9,
      "condition": "",
      "sources": []
    }
  ],
  "workarounds": [
    {
      "action": "Set securityContext.runAsUser to a non-root user ID (e.g., 1000) and ensure the image supports it.",
      "success_rate": 0.85,
      "how": "Set securityContext.runAsUser to a non-root user ID (e.g., 1000) and ensure the image supports it.",
      "condition": "",
      "sources": []
    },
    {
      "action": "Rebuild the container image to use a non-root USER directive in the Dockerfile.",
      "success_rate": 0.9,
      "how": "Rebuild the container image to use a non-root USER directive in the Dockerfile.",
      "condition": "",
      "sources": []
    }
  ],
  "workarounds_zh": [
    "在 Pod spec 中设置 securityContext.runAsUser 为非 root 用户 ID（例如 1000），并确保镜像支持。",
    "重建容器镜像，在 Dockerfile 中使用非 root USER 指令。"
  ],
  "transition_graph": {
    "leads_to": [],
    "preceded_by": [],
    "frequently_confused_with": []
  },
  "official_doc_url": "https://kubernetes.io/docs/concepts/security/pod-security-standards/",
  "official_doc_section": null,
  "error_code": "Forbidden",
  "verification_tier": "ai_generated",
  "confidence": 0.88,
  "fix_success_rate": 0.85,
  "resolvable": "true",
  "first_seen": "2024-02-15",
  "last_confirmed": "2024-06-01",
  "last_updated": "2024-06-01",
  "evidence_count": 1,
  "tags": [],
  "locale": "en",
  "aliases": []
}