Why root user is allowed by default in public cloud Kubernetes services?

In a Kubernetes environment, I suppose that the root user should not be allowed by default to mitigate the risk in case the host OS was accessed from inside a container. This setting should be done by writing in PodSecurityPolicy.

Considering this, I am just wondering: Why can we use the root user to run containers in public cloud Kubernetes services such as EKS, AKE and GKE? Do they have another layer of security measures to prevent containers from being compromised by attackers?


Solution 1:

Even if there is the possibility of a containerized process gaining access to the host OS due to an unfixed vulnerability, and thus having full control on the system due to it running as root, I believe public clouds choose not to enforce this by default because many well-known software packages have their main process run as root - for example, the nginx service relies on a main daemon process running as root, which in turn spawns the worker processes running as www-data for better security.

Solution 2:

The root user is allowed to perform any action on a Linux system including running Docker containers. There is no way to not allow the root user to run docker containers. Instead the way to go is to limit the access to the root user and use sudo to allow non root users to perform certain actions on the system.

However in case of Docker it doesn't matter that much because:

The docker group grants privileges equivalent to the root user. For details on how this impacts security in your system, see Docker Daemon Attack Surface.

manage-docker-as-a-non-root-user

So any Linux user which has permission to execute docker commands can gain root privileges on the system.

Root privileges inside a container are not a problem as Docker is a OS-level virtualization technology. The root user inside the container doesn't have access to the underlying OS running the docker daemon.