Home / BeaverDeck / Docs / Insights Guide / Security Insights / Root User

Root User

BeaverDeck uses this check to identify a specific security condition that may need operator review.

Permissions: viewing checks requires insights: view. Opening a linked object or logs requires the corresponding resource permission, and the BeaverDeck ServiceAccount must be allowed to read the Kubernetes resources used by the check. Suppressing a finding requires insights: edit and affects all users.

Check type	`root-user`
Insights section	Security Insights
Alert severity	Warning

When It Reports A Finding

The Pod or an init/application container explicitly sets securityContext.runAsUser: 0.

Why This Is A Problem

Running as UID 0 increases the privileges available inside the container and can amplify the impact of application or runtime vulnerabilities.

Recommended Response

Use an image that supports a dedicated non-root UID and writable paths appropriate for that user.
Set runAsNonRoot: true and a non-zero runAsUser at pod or container scope.
Test startup, file ownership, mounted volumes, and required ports after changing the user.

Scope And Limitations

The check detects only explicit UID 0. A passing result does not prove that the image's default user is non-root when runAsUser is omitted.

After remediation: refresh Security Insights and verify the underlying resource or metric. Suppress the finding only when the condition is intentional and its risk is accepted.