Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
CKV_K8S_40 check failing even when using a high UID
See original GitHub issueDescribe the bug When scanning my kubernetes YAML, it is failing the check even when the UID is set higher than 1000. It only passes when I set a UID higher than 10000.
To Reproduce Steps to reproduce the behavior: Scan a YAML where the runAsUser is set to a high UID that is less than 10000.
Expected behavior This check should pass
Screenshots
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.skunkworks.velero-testing
File: /test-velero.yaml:1-29
Guide: https://docs.bridgecrew.io/docs/bc_k8s_37
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: skunkworks
5 | namespace: velero-testing
6 | spec:
7 | replicas: 1
8 | revisionHistoryLimit: 0
9 | selector:
10 | matchLabels:
11 | app: velero-test
12 | template:
13 | metadata:
14 | labels:
15 | app: velero-test
16 | spec:
17 | containers:
18 | - name: xs-1
19 | image: alpine:3.12
20 | resources:
21 | requests:
22 | cpu: 10m
23 | memory: 16Mi
24 | limits:
25 | cpu: 10m
26 | memory: 16Mi
27 | securityContext:
28 | runAsUser: 1234
Desktop (please complete the following information):
- Running in the bridgecrew/checkov:latest container
Issue Analytics
- State:
- Created 3 years ago
- Reactions:1
- Comments:5
Top Results From Across the Web
Ensure containers run with a high UID to avoid host conflict
This means the process has no privileges on the host system and cannot be attacked by this method. This check will trigger below...
Read more >High uid error issue with Docker and CircleCI 2.0
The issue is with the third Docker image, micheleminno/db-migrations . If you run the image locally, and run this command:.
Read more >️ Prevent containers from accessing host files by using high ...
With a high UID number, a container is blocked from accessing host-based files even if it manages to gain access to a host's...
Read more >A Guide to OpenShift and UIDs - Red Hat Hybrid Cloud
A deep dive into how OpenShift handles User ID and Namespaces. ... What this means is that even when the Pod might be...
Read more >Known Issues - Oracle Help Center
Linux User Namespace Remapping Failure with a Docker Container. Details ... Search for files with high UID/GID: Find users:.
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Thanks @scott-sudweeks, thats exactly the case, due to systems commonly starting non-root and non-system users at 1000+, so 10,000 seemed like a safe buffer.
Apologies @ajchiarello I didn’t do a very good job of explaining that, we do indeed trigger on anything less than UID 10,000.
I’ve updated the documentation in the checkov guidance link for this check to reflect 10,000 and added more information on why!
Thanks @metahertz for adjusting the documentation! Since no further comments were added I’m closing this, but feel free to open a new issue, if further info are needed.