Container deployment errors might occur if pod security policy and role-based access control are not configured for authenticated users.


You deploy a container workload to a TKG 2.0 cluster but the workload does not start. You see an error similar to the following:

Error: container has runAsNonRoot and image will run as root.


TKG clusters are provisioned with the PodSecurityPolicy Admission Controller enabled. No authenticated users can create privileged or unprivileged pods until the cluster administrator binds PodSecurityPolicy to the authenticated users.


If you are using TKR 1.24 or earlier, create an appropriate binding to default PodSecurityPolicy, or define custom PodSecurityPolicy. If you are using TKR 1.25 or later, configure Pod Security Admission. See Managing Security for TKG Clusters on Supervisor.