2019-10-23 14:06:03 -07:00
# Run as non-root user
2019-10-23 15:36:37 -07:00
By default, all processes in a container run as the root user (uid 0). To prevent potential compromise of container hosts, specify a non-root and least privileged user ID when building the container image and require that application containers run as non root users i.e. set `runAsNonRoot` to `true` .
## Additional Information
* [Pod Security Context ](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ )
2019-10-23 14:06:03 -07:00
## Policy YAML
2019-11-08 19:25:43 -08:00
[disallow_root_user.yaml ](best_practices/disallow_root_user.yaml )
2019-10-23 14:06:03 -07:00
````yaml
2019-11-13 13:56:20 -08:00
apiVersion: kyverno.io/v1
2019-10-23 14:06:03 -07:00
kind: ClusterPolicy
metadata:
2019-11-08 19:25:43 -08:00
name: disallow-root-user
annotations:
2019-10-23 14:06:03 -07:00
spec:
rules:
2019-11-08 19:25:43 -08:00
- name: validate-runAsNonRoot
2019-10-23 14:06:03 -07:00
match:
resources:
kinds:
- Pod
validate:
2019-11-01 15:00:05 -07:00
message: "Root user is not allowed. Set runAsNonRoot to true"
2019-10-23 14:06:03 -07:00
anyPattern:
- spec:
securityContext:
runAsNonRoot: true
- spec:
containers:
- name: "*"
securityContext:
runAsNonRoot: true
````
