Check Last User

Description

The last USER instruction in the Dockerfile is what determines the default user for the container when it starts. This policy validates that the last USER is not root. Running containers as non-root users significantly limits the potential damage that attackers can inflict if they manage to compromise a container.

Kyverno policy

Refer to the Nirmata curated policies - check-last-user.

Resource example

Below is an example of a Dockerfile enforcing this policy.

FROM base

USER root
COPY test.sh /test.sh

USER non-root