GHSA-hwm2-4ph6-w6m5: Rancher's restricted PodSecurityPolicy does not prevent containers from running as a privileged user

The restricted pod security policy (PSP), provided in Rancher versions from 2.0 up to and including 2.6.3, has a deviation from the upstream restricted policy provided in Kubernetes, in which Rancher’s PSP has runAsUser set to runAsAny, while upstream has runAsUser set to MustRunAsNonRoot. This allows containers to run as any user, including a privileged user (root), even when Rancher’s restricted policy is enforced on a project or at cluster level.

A new restricted-noroot PSP was created to prevent pods from running as root when this policy is enforced. This new policy was introduced, instead of patching the current provided restricted policy, in order to avoid breaking users’ workloads that are using the restricted PSP and that might be running as a privileged user.

Note: Running containers as root increases the risk of a compromised container being used by a malicious actor as an attack platform to further exploit the user’s environment. It is a security best practice to avoid running containers as a privileged user and to limit its usage to workloads where it is strictly necessary.