in policy/check_runAsUser.go [62:99]
func runAsUser_1_23(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
// things that explicitly set runAsUser=0
var badSetters []string
if podSpec.SecurityContext != nil && podSpec.SecurityContext.RunAsUser != nil && *podSpec.SecurityContext.RunAsUser == 0 {
badSetters = append(badSetters, "pod")
}
// containers that explicitly set runAsUser=0
var explicitlyBadContainers []string
visitContainers(podSpec, func(container *corev1.Container) {
if container.SecurityContext != nil && container.SecurityContext.RunAsUser != nil && *container.SecurityContext.RunAsUser == 0 {
explicitlyBadContainers = append(explicitlyBadContainers, container.Name)
}
})
if len(explicitlyBadContainers) > 0 {
badSetters = append(
badSetters,
fmt.Sprintf(
"%s %s",
pluralize("container", "containers", len(explicitlyBadContainers)),
joinQuote(explicitlyBadContainers),
),
)
}
// pod or containers explicitly set runAsUser=0
if len(badSetters) > 0 {
return CheckResult{
Allowed: false,
ForbiddenReason: "runAsUser=0",
ForbiddenDetail: fmt.Sprintf("%s must not set runAsUser=0", strings.Join(badSetters, " and ")),
}
}
return CheckResult{Allowed: true}
}