homelab-gitops/platform/kyverno/policies/10-defaults/default-run-as-non-root.yaml
gwg313 baa0216960
add kyverno policies
Signed-off-by: gwg313 <gwg313@pm.me>
2026-05-28 20:09:06 -04:00

46 lines
1.1 KiB
YAML

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: default-run-as-non-root
spec:
background: true
rules:
- name: default-pod-run-as-non-root
match:
any:
- resources:
kinds:
- Pod
mutate:
patchStrategicMerge:
spec:
securityContext:
+(runAsNonRoot): true
- name: default-container-run-as-non-root
match:
any:
- resources:
kinds:
- Pod
mutate:
foreach:
- list: "request.object.spec.containers"
patchStrategicMerge:
spec:
containers:
- (name): "{{ element.name }}"
securityContext:
+(runAsNonRoot): true
- list: "request.object.spec.initContainers || []"
patchStrategicMerge:
spec:
initContainers:
- (name): "{{ element.name }}"
securityContext:
+(runAsNonRoot): true