Containers should not run with a root primary or supplementary GID. To enforce that, this policy restricts the following fields:
spec.securityContext.runAsGroup
spec.securityContext.supplementalGroups[*]
spec.securityContext.fsGroup
spec.containers[*].securityContext.runAsGroup
spec.initContainers[*].securityContext.runAsGroup
Note that this policy is part of the following security standards:
k8s/restricted
: Heavily restricted policy, following current Pod hardening best practices.nist/SP.800-190
: NIST Special Publication 800-190 - Application Container Security Guide: Section 3.4.3bsi/containerization
: BSI IT-Grundschutz "Containerisierung": Section: SYS.1.6.A17apiVersion: v1
kind: Pod
metadata:
name: groups-example
spec:
securityContext:
- runAsGroup: 0
- supplementalGroups: [0]
- fsGroup: 0
initContainers:
- name: hello1
image: dummy-cronjob:invalid
securityContext:
- runAsGroup: 0
containers:
- name: hello2
image: dummy-cronjob:invalid
securityContext:
- runAsGroup: 0
securitytower.io/policy.exclusion.preventrunwithrootgroups
as on the example below.
apiVersion: v1 kind: Pod metadata: name: your-pod annotations: securitytower.io/policy.exclusion.preventrunwithrootgroups: |- This container must use root groups. ...