apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: require-non-root annotations: policies.kyverno.io/title: Require Non-Root Containers policies.kyverno.io/category: Pod Security policies.kyverno.io/severity: high spec: validationFailureAction: Enforce background: true rules: - name: require-pod-run-as-non-root match: any: - resources: kinds: - Pod exclude: any: - resources: selector: matchLabels: security.policy/allow-root: "true" - resources: namespaceSelector: matchLabels: policy.home.arpa/allow-root: "true" validate: message: "Pods must set runAsNonRoot=true." pattern: spec: securityContext: runAsNonRoot: true - name: require-container-run-as-non-root match: any: - resources: kinds: - Pod exclude: any: - resources: selector: matchLabels: security.policy/allow-root: "true" - resources: namespaceSelector: matchLabels: policy.home.arpa/allow-root: "true" validate: message: "All containers must set runAsNonRoot=true." foreach: - list: "request.object.spec.containers" pattern: securityContext: runAsNonRoot: true - list: "request.object.spec.initContainers" pattern: securityContext: runAsNonRoot: true - list: "request.object.spec.ephemeralContainers" pattern: securityContext: runAsNonRoot: true