Prevent Run With Root Groups 1.1.5

Containers should not run with a root primary or supplementary GID. To enforce that, this policy restricts the following fields:

  • spec.securityContext.runAsGroup
  • spec.securityContext.supplementalGroups[*]
  • spec.securityContext.fsGroup
  • spec.containers[*].securityContext.runAsGroup
  • spec.initContainers[*].securityContext.runAsGroup

Note that this policy is part of the following security standards:

  • k8s/restricted: Heavily restricted policy, following current Pod hardening best practices.
  • nist/SP.800-190: NIST Special Publication 800-190 - Application Container Security Guide: Section 3.4.3
  • bsi/containerization: BSI IT-Grundschutz "Containerisierung": Section: SYS.1.6.A17
  • Privilege Escalation
  • Security
  • bsi/containerization
  • k8s/restricted
  • nist/SP.800-190

Applies to

  • Pod
  • ReplicaSet
  • ReplicationController
  • Deployment
  • StatefulSet
  • DaemonSet
  • Job
  • CronJob

Example

apiVersion: v1
kind: Pod
metadata:
  name: groups-example
spec:
  securityContext:
-   runAsGroup: 0
-   supplementalGroups: [0]
-   fsGroup: 0
  initContainers:
    - name: hello1
      image: dummy-cronjob:invalid
      securityContext:
-        runAsGroup: 0
  containers:
     - name: hello2
       image: dummy-cronjob:invalid
       securityContext:
-        runAsGroup: 0

Risk acceptance

Use the annotation securitytower.io/policy.exclusion.preventrunwithrootgroups as on the example below.
apiVersion: v1
kind: Pod
metadata:
  name: your-pod
  annotations:
    securitytower.io/policy.exclusion.preventrunwithrootgroups: |-
      This container must use root groups.
...