"runAsNonRoot: true" should be in Pod and Container SecurityContexts

[hikkyXII]

Hello!
K-Rail policy No Root User allows me to run Pod only if runAsNonRoot: true is specified in Pod's AND Container's securityContext same time.
Is it correct behavior or should I be able to run pod ONLY with runAsNonRoot: true in PodSecurityContext?
Thanks in advance.

[empinator]

@hikkyXII
Did you resolve your problem? I am facing a similar issue.

[hikkyXII]

No. Need to edit rules code for that.
But as this project seems abandoned, we are going to move to another admission controller.

[empinator]

Thanks for your reply.
It seems like you are right. Too bad, since I liked the simplicity.
Is there any admission controller you are favouring? istio, OPA, Gatekeeper, kyverno, ... ?

[hikkyXII]

Have no experience with them yet, but:
Istio - is for network operations
OPA, Gatekeeper - they work together. We are going to evaluate this one. The only one I heard of several times.
kyverno - never heard of.

[mark-adams]

👋 The k-rail project has been deprecated and is no longer under active development. We recommend taking a look at OPA Gatekeeper to see if it might meet your needs going forward.

Thanks for your contribution(s) to the project!