# Error: container has runAsNonRoot and image will run as root

- **ID:** `policy/kubernetes-podsecuritypolicy-privileged-container`
- **Domain:** policy
- **Category:** config_error
- **Error Code:** `Forbidden`
- **Verification:** ai_generated
- **Fix Rate:** 85%

## Root Cause

Kubernetes PodSecurityPolicy or OPA Gatekeeper enforces that containers cannot run as root, but the container image's default user is root and no securityContext.runAsUser is set.

## Version Compatibility

| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| Kubernetes v1.24+ | active | — | — |
| PodSecurity admission v1.25+ | active | — | — |
| OPA Gatekeeper v3.10+ | active | — | — |

## Workarounds

1. **Set securityContext.runAsUser to a non-root user ID (e.g., 1000) and ensure the image supports it.** (85% success)
   ```
   Set securityContext.runAsUser to a non-root user ID (e.g., 1000) and ensure the image supports it.
   ```
2. **Rebuild the container image to use a non-root USER directive in the Dockerfile.** (90% success)
   ```
   Rebuild the container image to use a non-root USER directive in the Dockerfile.
   ```

## Dead Ends

- **** — This violates the PodSecurityPolicy baseline/restricted profile, causing the admission controller to reject the Pod entirely. (70% fail)
- **** — Privileged containers are explicitly denied by restricted policies and also violate security best practices. (90% fail)