Containers must be required to run as non-root users. This policy ensures `runAsNonRoot` is set to `true`. A known issue prevents a policy such as this using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2.
apiVersion: kyverno.io/v1kind: ClusterPolicymetadata:name: require-run-as-nonrootannotations:policies.kyverno.io/title: Require runAsNonRootpolicies.kyverno.io/category: Pod Security Standards (Restricted)policies.kyverno.io/severity: mediumpolicies.kyverno.io/subject: Podkyverno.io/kyverno-version: 1.6.0kyverno.io/kubernetes-version: 1.22-1.23policies.kyverno.io/description: Containers must be required to run as non-root users. This policy ensures `runAsNonRoot` is set to `true`. A known issue prevents a policy such as this using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2.spec:validationFailureAction: Auditbackground: truerules:- name: run-as-non-rootmatch:any:- resources:kinds:- Podvalidate:message: Running as root is not allowed. Either the field spec.securityContext.runAsNonRoot must be set to `true`, or the fields spec.containers[*].securityContext.runAsNonRoot, spec.initContainers[*].securityContext.runAsNonRoot, and spec.ephemeralContainers[*].securityContext.runAsNonRoot must be set to `true`.anyPattern:- spec:securityContext:runAsNonRoot: "true""=(ephemeralContainers)":- "=(securityContext)":"=(runAsNonRoot)": "true""=(initContainers)":- "=(securityContext)":"=(runAsNonRoot)": "true"containers:- "=(securityContext)":"=(runAsNonRoot)": "true"- spec:"=(ephemeralContainers)":- securityContext:runAsNonRoot: "true""=(initContainers)":- securityContext:runAsNonRoot: "true"containers:- securityContext:runAsNonRoot: "true"
This policy prevents the use of the default project in an Application.
This policy prevents updates to the project field after an Application is created.
An AppProject may optionally specify clusterResourceBlacklist which is a blacklisted group of cluster resources. This is often a good practice to ensure AppProjects do not allow more access than needed. This policy is a combination of two rules which enforce that all AppProjects specify clusterResourceBlacklist and that their group and kind have wildcards as values.