Json Yaml Run As User Below 10000
Description
Detects Kubernetes containers configured to run with unsafe user IDs below 10000, which could indicate containers running with excessive privileges. Running containers with low user IDs (especially root/0) poses security risks by potentially giving containers too much access to the host system.
Detection Strategy
• Review container specifications in Kubernetes manifests for security context configurations
• Check if containers are missing security context configurations at both pod and container levels
• For containers with security contexts, verify if runAsUser is properly configured
• Flag containers that have runAsUser set to unsafe values (below 10000)
• Report containers that lack explicit user ID configurations when no safe pod-level user ID is set
Vulnerable code example
apiVersion: v1
kind: Pod
metadata:
name: vulnerable-pod
spec:
containers:
- name: nginx
image: nginx...✅ Secure code example
apiVersion: v1
kind: Pod
metadata:
name: secure-pod
spec:
automountServiceAccountToken: false # Prevent auto-mounting of service account tokens
securityContext:
runAsNonRoot: true # Pod-level non-root directive...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.