Workload misconfigurations

Enable user namespace support (Automated)

Risk Level

Informational (4)

Platform(s)
  • N/A

Compliance Frameworks

Description

You should enable user namespace support in Docker daemon to utilize container user to host user re-mapping. This recommendation is beneficial where the containers you are using do not have an explicit container user defined in the container image. If the container images that you are using have a pre-defined non-root user, this recommendation may be skipped as this feature is still in its infancy, and might result in unpredictable issues or difficulty in configuration.
  • Recommended Mitigation

    Please consult the Docker documentation for various ways in which this can be configured depending upon your requirements. Your steps might also vary based on platform - For example, on Red Hat, sub-UIDs and sub-GIDs mapping creation do not work automatically. You might have to create your own mapping. The high-level steps are as follows: Step 1: Ensure that the files /etc/subuid and /etc/subgid exist: 'touch /etc/subuid /etc/subgid'. Step 2: Start the docker daemon with --userns-remap flag: 'dockerd --userns-remap=default'