🔒Pod Security Standards PSS-RunAsNonRootRule: PSS-006high

runAsNonRoot required

Description

Restricted level requires runAsNonRoot: true on all containers.

⚠️ Risk Impact

Root containers retain root privileges within container; combined with container-escape CVE = host root.

🔍 How EchelonGraph Detects This

PSS-006Automated scanner rule

EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected cloud accounts. Violations are flagged as high-severity findings with remediation guidance.

🔧 Remediation

Set securityContext.runAsNonRoot:true + runAsUser:non-zero. Use distroless or rootless images.

💀 Real-World Attack Scenario

A container ran as root. Compromised via Log4Shell + escaped to host via runc CVE = host root.

💰 Cost of Non-Compliance

Root-container escape: $4M+ avg.

📋 Audit Questions

  • 1.runAsNonRoot:true universal?
  • 2.Image rebuild plan for legacy?

🎯 MITRE ATT&CK Mapping

T1611 — Escape to Host

⚡ Common Pitfalls

  • Legacy images default to root
  • runAsNonRoot:true but no UID specified

📈 Business Value

Non-root containers limit container-compromise impact.

⏱️ Effort Estimate

Manual

Per-image rebuild

With EchelonGraph

EchelonGraph identifies root containers

🔗 Cross-Framework References

CIS-K8S-5.7.3

Automate Pod Security Standards PSS-RunAsNonRoot compliance

EchelonGraph continuously monitors this control across all your cloud accounts.

Start Free →