5.2.6 Minimize the admission of root containers

Information

Do not generally permit containers to be run as the root user.

Rationale:

Containers may run as any Linux user. Containers which run as the root user, whilst constrained by Container Runtime security features still have an escalated likelihood of container breakout.

Ideally, all containers should run as a defined non-UID 0 user.

There should be at least one Security Context Constraint (SCC) defined which does not permit root users in a container.

If you need to run root containers, this should be defined in a separate SCC and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that SCC.

Impact:

Pods with containers which run as the root user will not be permitted.

Solution

None required. By default, OpenShift includes the nonroot and nonroot-v2 SCCs that restrict the ability to run as nonroot. If additional SCCs are appropriate, follow the OpenShift documentation to create custom SCCs.

Default Value:

By default, the following SCCs restrict the ability to run as non-root:

'nonroot'

'nonroot-v2'

See Also

https://workbench.cisecurity.org/benchmarks/14166

Item Details

Category: ACCESS CONTROL, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|AC-6(2), 800-53|AC-6(5), 800-53|AC-17(3), 800-53|SI-7, CSCv7|4.3

Plugin: OpenShift

Control ID: fede8d740d94375cebc4558d55914ab940d0e42f0243d03f70d2bf34e1b5a156