CVE-2019-11245

1 minute read

Containers for pods that do not specify an explicit runAsUser attempt to run as uid 0 (root) on container restart, or if the image was previously pulled to the node. If the pod specified mustRunAsNonRoot: true, the kubelet will refuse to start the container as root. If the pod did not specify mustRunAsNonRoot: true, the kubelet will run the container as uid 0.

Scope

If a pod specifies mustRunAsNonRoot: true, the pod will run as uid 0 when it restarts or the image is pulled on to a node.

Prevention

Specify mustRunAsNonRoot: true for pods.

Fixed by Official

v1.14.3
v1.13.7

Fixed by KLTS

v1.12.10-lts.1 kubernetes/kubernetes#78320
v1.11.10-lts.1 kubernetes/kubernetes#78320
v1.10.13-lts.1 kubernetes/kubernetes#78320

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.

Last modified March 8, 2022 : mv en to kuberentes/ (95aa90d4)