How to fulfill AKS Advisor recommendation "Running containers as root user should be avoided"

Question

Given following AKS advisor recommendation "Running containers as root user should be avoided" with following remediation step:

• For these pods, add rule: 'MustRunAsNonRoot' in a runAsUser section of the container's spec.

I should note here that MustRunAsNonRoot is part of PodSecurityPolicy, which should not be used anymore with AKS, as noted in How to enforce MustRunAsNonRoot policy in K8S cluster in AKS

I added runAsNonRoot: true to the pod's securityContext:

apiVersion: apps/v1
kind: Deployment
metadata:
  annotations:
    ...
  creationTimestamp: "2021-09-28T14:02:34Z"
  generation: 13
  labels:
    app.kubernetes.io/managed-by: Helm
  name: my-service
  namespace: my-namespace
  resourceVersion: "..."
  uid: ...
spec:
  replicas: 1
  ...
  template:
    metadata:
      ...
    spec:
      securityContext:
        runAsNonRoot: true

... but the resource is still being listed for this recommendation. What do I miss here, what should I change in order to fulfill this recommendation?

Answer 1

Bridgecrew has defined several policies that enforce best practices when it comes to k8s deployments in production. You can verify your deployment configurations with the ones mentioned in those policies.

BC_K8S_22 and BC_K8S_37 are some of the policies that are related to containers, root users and their privileges.

The following are some of the configs you can include to adhere to the deployment best practices. You should go through all their policies and use the ones that best apply to your use case.

securityContext:
  allowPrivilegeEscalation: false
  readOnlyRootFilesystem: true
  runAsUser: 10500
  runAsGroup: 10500