Control: Pod Security Policy should prohibit containers from running as root
Pod Security Policy should prohibit containers from running as root. Containers in a Pod should not run with root privileges. By default, many container services run as the privileged root user, and applications execute inside the container as root despite not requiring privileged execution. Preventing root execution by using non-root containers or a rootless container engine limits the impact of a container compromise.
Run the control in your terminal:
powerpipe control run kubernetes_compliance.control.pod_security_policy_non_root_container
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run kubernetes_compliance.control.pod_security_policy_non_root_container --share
This control uses a named query:
select coalesce(uid, concat(path, ':', start_line)) as resource, case when run_as_user ->> 'rule' = 'MustRunAsNonRoot' then 'ok' else 'alarm' end as status, case when run_as_user ->> 'rule' = 'MustRunAsNonRoot' then 'Pod security policy ' || name || ' restrict containers to run as non-root user.' else 'Pod security policy ' || name || ' does not restrict containers to run as non-root user.' end as reason , coalesce(context_name, '') as context_name, source_type, coalesce(path || ':' || start_line || '-' || end_line, '') as pathfrom kubernetes_pod_security_policy;