KA-C003: Container could run as root

Warning Security PSS Restricted

CIS Kubernetes Benchmark v1.8, Section 5.2.6: Minimize the admission of root containers

Why This Matters

Without runAsNonRoot: true or a non-zero runAsUser, this container could run as root depending on the container image USER directive. The actual runtime user depends on the image and container runtime defaults. PSS Restricted profile recommends explicit non-root enforcement.

How to Fix

Set runAsNonRoot: true or specify a non-zero runAsUser

Before (incorrect)

containers:
  - name: app
    securityContext: {}

After (correct)

containers:
  - name: app
    securityContext:
      runAsNonRoot: true
      runAsUser: 1000

Rule Details

Rule Code: KA-C003
Severity: Warning
Category: Security

Related Rules

KA-C001 Error

Container runs as privileged

KA-C002 Error

Privilege escalation allowed

KA-C005 Error

Running with UID 0 (root)

KA-C006 Error

Host PID namespace shared

KA-C007 Error

Host IPC namespace shared