Remote code execution (RCE) due to root containers in Kubernetes workloads

Critical Risk container-security

kubernetescontainersroot-userprivilege-escalationsecurity-contextleast-privilegecontainer-securityrce

What it is

Kubernetes containers running as root (uid 0) present a significant security risk, as any code execution vulnerability within the container immediately grants root privileges. This enables container breakout attempts, filesystem tampering, lateral movement, and broader cluster compromise.

Language:

# VULNERABLE: Deployment without security context - runs as root
apiVersion: apps/v1
kind: Deployment
metadata:
  name: vulnerable-app
  namespace: production
spec:
  replicas: 3
  selector:
    matchLabels:
      app: vulnerable-app
  template:
    metadata:
      labels:
        app: vulnerable-app
    spec:
      # VULNERABLE: No security context specified
      containers:
      - name: web-server
        image: nginx:1.21
        ports:
        - containerPort: 80
        # VULNERABLE: Container will run as root (uid 0)
        
      - name: app-container
        image: my-app:latest
        ports:
        - containerPort: 8080
        # VULNERABLE: No security restrictions

# SECURE: Deployment with runAsNonRoot security context
apiVersion: apps/v1
kind: Deployment
metadata:
  name: secure-app
  labels:
    app: secure-app
spec:
  replicas: 3
  selector:
    matchLabels:
      app: secure-app
  template:
    metadata:
      labels:
        app: secure-app
    spec:
      # SECURE: Pod-level security context
      securityContext:
        runAsNonRoot: true  # SECURE: Prevent root execution
        runAsUser: 1000
        fsGroup: 2000
        
      containers:
      - name: web-server
        image: nginx:1.21-alpine
        ports:
        - containerPort: 8080
        
        # SECURE: Container-level security context
        securityContext:
          runAsNonRoot: true  # SECURE: Prevent root execution
          runAsUser: 101
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - ALL
        
      - name: app-container
        image: my-app:latest
        ports:
        - containerPort: 8080
        
        # SECURE: Application container security
        securityContext:
          runAsNonRoot: true  # SECURE: Prevent root execution
          runAsUser: 1001
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - ALL

💡 Why This Fix Works

The vulnerable example shows a Kubernetes deployment without securityContext configurations, allowing containers to run as root with full privileges. The secure alternative implements comprehensive security contexts with runAsNonRoot: true, specific user IDs, read-only root filesystems, dropped capabilities, and additional hardening measures like seccomp profiles and resource limits.

Why it happens

Many container images run as root by default, and Kubernetes allows this unless explicitly configured otherwise through securityContext settings.

Root causes

Default Container Behavior

Many container images run as root by default, and Kubernetes allows this unless explicitly configured otherwise through securityContext settings.

Missing Security Context Configuration

Pod and container specifications omit runAsNonRoot and runAsUser settings, leaving containers to run with whatever user is specified in the image (often root).

Legacy Application Requirements

Applications that were designed to run with root privileges in traditional environments are containerized without proper security hardening or user privilege separation.

Fixes

Configure Non-Root Security Context

Set securityContext.runAsNonRoot: true and securityContext.runAsUser to a non-zero UID in pod or container specifications to ensure processes run as unprivileged users.

Update Container Images

Modify Dockerfiles to create and use dedicated non-root users, adjusting file ownership and permissions to support non-root execution while maintaining application functionality.

Implement Pod Security Standards

Use Kubernetes Pod Security Standards (PSS) or admission controllers like OPA Gatekeeper to enforce non-root execution policies cluster-wide and prevent root containers from being deployed.

Detect This Vulnerability in Your Code

Sourcery automatically identifies remote code execution (rce) due to root containers in kubernetes workloads and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities