Container deployment errors might occur if pod security policy and role-based access control are not configured for authenticated users.

Problem

You deploy a container workload to a TKG 2.0 cluster but the workload does not start. You see an error similar to the following:

Error: container has runAsNonRoot and image will run as root.

Cause

TKG clusters are provisioned with the PodSecurityPolicy Admission Controller enabled. No authenticated users can create privileged or unprivileged pods until the cluster administrator binds PodSecurityPolicy to the authenticated users.

Solution

If you are using TKR 1.24 or earlier, create an appropriate binding to default PodSecurityPolicy, or define custom PodSecurityPolicy. If you are using TKR 1.25 or later, configure Pod Security Admission. See Managing Security for TKG Service Clusters.