CIS-1.6 profile, root containers allowed?

inzanez · May 31, 2022, 8:31am

Hi

I recently set up an RKE2 test cluster where I used the profile: cis-1.6 as an option during installation. I was under the impression that I wasn’t able to run containers as ‘root’ anymore, which was not really an issue as I think that’s generally not a good idea.

Now I created another setup that should be used in production, also with the profile: cis-1.6 flag, but interestingly I can run containers as ‘root’ user on this one. Unfortunately I do not have the test setup anymore and so I am wondering if I was mistaken in the first place that the cis-1.6 profile would forbid containers running as root?

Is there a way to check if the profile has been applied?

inzanez · May 31, 2022, 12:08pm

I guess I can clarify that myself: it is right, the root user cannot be used with the CIS-1.6 profile. It seems that restoring a backup using Velero somehow managed to restore the pods in a running state and interestingly running as root user.
After restarting the deployments, the pods didn’t come up anymore with the warning that the root user was not allowed to be used.

Topic	Replies	Views
CIS Kubernetes Benchmark: Problem with PSP and cis-operator/kube-bench k3s, k3OS, and k3d	1040	February 3, 2022
Security Advisory for containerd CVE-2020-15257 and Kubernetes CVE-2020-8554] Announcements	2324	December 10, 2020
Cert-deployer failing	1340	June 6, 2020
CIS Finding (6.1.10 - World Writable File) k3s, k3OS, and k3d	259	August 18, 2023
Support for vSphere 8.0?	461	February 17, 2023

CIS-1.6 profile, root containers allowed?

Related Topics