id: k8s-root-user-id

info:
  name: Pods run with root user ID
  author: princechaddha
  severity: low
  description: Checks for pods running with the user ID of the root user, increasing security risks.
  impact: |
    Running pods with the root user ID can allow malicious entities to gain unnecessary privileges, leading to potential compromises in the Kubernetes environment.
  remediation: Configure pods to run with a non-root user ID by setting the 'securityContext' for each container and the pod itself.
  reference:
    - https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
  tags: cloud,devops,kubernetes,security,devsecops,pods

flow: |
  code(1);
  for (let pod of template.items) {
    set("pod", pod)
    javascript(1);
  }

self-contained: true
code:
  - engine:
      - sh
      - bash
    source: kubectl get pods --all-namespaces --output=json
    extractors:
      - type: json
        name: items
        internal: true
        json:
          - '.items[] | {pod: .metadata.name, containers: .spec.containers}'

javascript:
  - code: |
        let podData = JSON.parse(template.pod);
        podData.containers.forEach(container => {
          if (container.securityContext && container.securityContext.runAsUser === 0) {
            let result = (`Container '${container.name}' in pod '${podData.pod}' is running with root user ID.`);
            Export(result);
          }
        });

    extractors:
      - type: dsl
        dsl:
          - response
# digest: 4a0a00473045022100c1eee5714a5bba3549ccef97ba37cc178ad76f7786c90732ff49d211d1d4153802204dae0cd7ef2c634e85d3d27a7feb5c9508f4066a91f7ef56f861ed86af5bb420:366f2a24c8eb519f6968bd8801c08ebe