InformationDo not generally permit containers to be run as the root user.
Containers may run as any Linux user. Containers which run as the root user, whilst constrained by Container Runtime security features still have an escalated likelihood of container breakout.
Ideally, all containers should run as a defined non-UID 0 user.
There should be at least one Security Context Constraint (SCC) defined which does not permit root users in a container.
If you need to run root containers, this should be defined in a separate SCC and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that SCC.
Pods with containers which run as the root user will not be permitted.
SolutionNone required. By default, OpenShift includes the non-root SCC with the the Run As User Strategy is set to either MustRunAsNonRoot. If additional SCCs are appropriate, follow the OpenShift documentation to create custom SCCs.
By default, OpenShift 4 clusters include the following SCCs:
anyuid Run As User Strategy: RunAsAny
hostaccess Run As User Strategy: MustRunAsRange
hostmount-anyuid Run As User Strategy: RunAsAny
hostnetwork Run As User Strategy: MustRunAsRange
node-exporter Run As User Strategy: RunAsAny
non-root Run As User Strategy: MustRunAsNonRoot
privileged Run As User Strategy: RunAsAny
restricted Run As User Strategy: MustRunAsRange