Preventing Container from Running as Root with Pod Security Policy

Using a Pod Security Policy to Prevent Containers from Running as Root

Question

A pod security policy (PSP) is implemented in your Oracle Cloud Infrastructure Container Engine for Kubernetes cluster.

Which rule can you use to prevent a container from running as root using PSP? (Choose the best answer.)

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

C.

https://docs.bitnami.com/tutorials/secure-kubernetes-cluster-psp/

The correct answer is C. MustRunAsNonRoot.

A Pod Security Policy (PSP) is a cluster-level resource that controls the security context of a Pod and provides a way to enforce policies that safeguard the containerized applications running in the Kubernetes cluster. PSPs are applied at the cluster level, which means they are enforced for all pods in the cluster.

The MustRunAsNonRoot rule in a PSP is used to ensure that containers running in a Pod are not running as the root user. Running as the root user can increase the risk of privilege escalation attacks, which can be potentially dangerous to the system. The MustRunAsNonRoot rule specifies that a container must run as a non-root user in the Pod, and it will not allow containers to run as the root user.

The NoPrivilege and forbiddenRoot rules are not valid PSP rules. RunOnlyAsUser can be used to ensure that a container is run with a specific user ID, but it does not prevent the container from running as the root user if that user ID is the root user.

In summary, if you want to prevent a container from running as root using a Pod Security Policy in Oracle Cloud Infrastructure Container Engine for Kubernetes cluster, you should use the MustRunAsNonRoot rule.