CIS-1.6 profile, root containers allowed?

inzanez · May 31, 2022, 8:31am

Hi

I recently set up an RKE2 test cluster where I used the profile: cis-1.6 as an option during installation. I was under the impression that I wasn’t able to run containers as ‘root’ anymore, which was not really an issue as I think that’s generally not a good idea.

Now I created another setup that should be used in production, also with the profile: cis-1.6 flag, but interestingly I can run containers as ‘root’ user on this one. Unfortunately I do not have the test setup anymore and so I am wondering if I was mistaken in the first place that the cis-1.6 profile would forbid containers running as root?

Is there a way to check if the profile has been applied?

inzanez · May 31, 2022, 12:08pm

I guess I can clarify that myself: it is right, the root user cannot be used with the CIS-1.6 profile. It seems that restoring a backup using Velero somehow managed to restore the pods in a running state and interestingly running as root user.
After restarting the deployments, the pods didn’t come up anymore with the warning that the root user was not allowed to be used.

Topic		Replies	Views
CIS Kubernetes Benchmark: Problem with PSP and cis-operator/kube-bench k3s, k3OS, and k3d	0	1093	February 3, 2022
User namespace and the network agent container	2	1789	June 6, 2016
Security Advisory for containerd CVE-2020-15257 and Kubernetes CVE-2020-8554] Announcements	0	2359	December 10, 2020
Projects and CIS mode seem incompatible (please correct me!) Rancher	3	581	August 4, 2021
Cert-deployer failing	0	1398	June 6, 2020

CIS-1.6 profile, root containers allowed?

Related topics