.spec.securityContext.runAsNonRoot not considered as secure configuration

[romansil]

Describe the bug

runAsNonRoot can be defined on two places:

• Pod level: .spec.securityContext.runAsNonRoot
• Container level: .spec.containers[].securityContext.runAsNonRoot

As mentioned in the notes of this Kubesec documentation page: "Container level security context settings are applied to the specific container and override settings made at the pod level where there is overlap".
Setting runAsNonRoot on pod level is secure as well and should be parsed by Kubesec.

To Reproduce

Test the following manifest with Kubesec:

apiVersion: v1
kind: Pod
metadata:
  name: poc
spec:
  securityContext:
    runAsNonRoot: false
  containers:
    - name: tryout
      image: nginx

Expected behaviour
The advise for missing runAsNonRoot should not be reported if it's specified on Pod level.

Additional context
API documentation for both options:

• Pod level: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context
• Container level: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1

[06kellyjac]

Thanks for the report.

So all containers[].securityContext.x check should also be .securityContext.x but AFAIK none of them are set up that way. Might be best to change this issue to cover all cases

[fuog]

btw. same goes for runAsUser: ignored on pod level and wanted on container-level.