Workload deployment errors might occur if PodSecurityPolicy and bindings are not configured for authenticated users.

Problem

You deploy a container workload to a Tanzu Kubernetes cluster but the workload does not start. You see an error similar to the following:

Error: container has runAsNonRoot and image will run as root.

Cause

Tanzu Kubernetes clusters are provisioned with the PodSecurityPolicy Admission Controller enabled. No authenticated users can create privileged or unprivileged pods until the cluster administrator binds PodSecurityPolicy to the authenticated users.

Solution

Create an appropriate binding to default PodSecurityPolicy, or define custom PodSecurityPolicy. See Using Pod Security Policies with Tanzu Kubernetes Clusters and Kubernetes Guestbook Tutorial: Bind to the Default Privileged Pod Security Policy.