Benchmark: Containers should not run with root privileges
Description
Containers should not be deployed with root privileges. By default, many container services run as the privileged root user, and applications execute inside the container as root despite not requiring privileged execution. Preventing root execution by using non-root containers or a rootless container engine limits the impact of a container compromise.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-kubernetes-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select Containers should not run with root privileges.
Run this benchmark in your terminal:
powerpipe benchmark run kubernetes_compliance.benchmark.nsa_cisa_v1_pod_security_non_root_containerSnapshot and share results via Turbot Pipes:
powerpipe benchmark run kubernetes_compliance.benchmark.nsa_cisa_v1_pod_security_non_root_container --shareControls
- CronJob containers should not run with root privileges
- DaemonSet containers should not run with root privileges
- Deployment containers should not run with root privileges
- Job containers should not run with root privileges
- Pod containers should not run with root privileges
- Pod Security Policy should prohibit containers from running as root
- ReplicaSet containers should not run with root privileges
- ReplicationController containers should not run with root privileges
- StatefulSet containers should not run with root privileges