Remote code execution (RCE) due to root containers in Kubernetes workloads

High Risk infrastructure-security

What it is

Attackers who gain code execution inside the container obtain root privileges, enabling container breakout attempts.

Why it happens

Using container images that run as root by default without overriding with runAsNonRoot security context.

Root causes

Default Root User in Images

Using container images that run as root by default without overriding with runAsNonRoot security context.

Permission Issues Workaround

Running as root to avoid file permission issues rather than properly configuring volume ownership.

Missing Security Context

Not specifying securityContext in Pod or container spec, defaulting to root execution.

Fixes

1

Set runAsNonRoot to True

Add securityContext.runAsNonRoot: true to enforce non-root user execution in Pod spec.

2

Specify Non-Root User ID

Use securityContext.runAsUser with a UID greater than 0 to explicitly set the user.

3

Use Non-Root Base Images

Choose or build container images that include non-root users and set USER directives in Dockerfiles.

Detect This Vulnerability in Your Code

Sourcery automatically identifies remote code execution (rce) due to root containers in kubernetes workloads and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities