Workload deployment errors might occur if PodSecurityPolicy and bindings are not configured for authenticated users.


You deploy a container workload to a Tanzu Kubernetes cluster but the workload does not start. You see an error similar to the following:

Error: container has runAsNonRoot and image will run as root.


Tanzu Kubernetes clusters are provisioned with the PodSecurityPolicy Admission Controller enabled. No authenticated users can create privileged or unprivileged pods until the cluster administrator binds PodSecurityPolicy to the authenticated users.


Create an appropriate binding to default PodSecurityPolicy, or define custom PodSecurityPolicy. See Using Pod Security Policies with Tanzu Kubernetes Clusters and Tanzu Kubernetes Guestbook Tutorial.