Forbidden
policy
config_error
ai_generated
true
错误:容器设置了 runAsNonRoot,但镜像将以 root 用户运行
Error: container has runAsNonRoot and image will run as root
ID: policy/kubernetes-podsecuritypolicy-privileged-container
85%修复率
88%置信度
1证据数
2024-02-15首次发现
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| Kubernetes v1.24+ | active | — | — | — |
| PodSecurity admission v1.25+ | active | — | — | — |
| OPA Gatekeeper v3.10+ | active | — | — | — |
根因分析
Kubernetes PodSecurityPolicy 或 OPA Gatekeeper 强制要求容器不能以 root 运行,但容器镜像的默认用户是 root,且未设置 securityContext.runAsUser。
English
Kubernetes PodSecurityPolicy or OPA Gatekeeper enforces that containers cannot run as root, but the container image's default user is root and no securityContext.runAsUser is set.
官方文档
https://kubernetes.io/docs/concepts/security/pod-security-standards/解决方案
-
在 Pod spec 中设置 securityContext.runAsUser 为非 root 用户 ID(例如 1000),并确保镜像支持。
-
重建容器镜像,在 Dockerfile 中使用非 root USER 指令。
无效尝试
常见但无效的做法:
-
70% 失败
This violates the PodSecurityPolicy baseline/restricted profile, causing the admission controller to reject the Pod entirely.
-
90% 失败
Privileged containers are explicitly denied by restricted policies and also violate security best practices.