homelab-gitops/platform/kyverno/policies/20-require/require-non-root.yaml
gwg313 e507515766
Some checks are pending
Pipelines as Code CI / homelab-ci CI has Started
add pac
Signed-off-by: gwg313 <gwg313@pm.me>
2026-06-29 21:03:51 -04:00

72 lines
1.8 KiB
YAML

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: require-non-root
annotations:
policies.kyverno.io/title: Require Non-Root Containers
policies.kyverno.io/category: Pod Security
policies.kyverno.io/severity: high
spec:
validationFailureAction: Enforce
background: true
rules:
- name: require-pod-run-as-non-root
match:
any:
- resources:
kinds:
- Pod
exclude:
any:
- resources:
selector:
matchLabels:
security.policy/allow-root: "true"
- resources:
namespaceSelector:
matchLabels:
policy.home.arpa/allow-root: "true"
validate:
message: "Pods must set runAsNonRoot=true."
pattern:
spec:
securityContext:
runAsNonRoot: true
- name: require-container-run-as-non-root
match:
any:
- resources:
kinds:
- Pod
exclude:
any:
- resources:
selector:
matchLabels:
security.policy/allow-root: "true"
- resources:
namespaceSelector:
matchLabels:
policy.home.arpa/allow-root: "true"
validate:
message: "All containers must set runAsNonRoot=true."
foreach:
- list: "request.object.spec.containers"
pattern:
securityContext:
runAsNonRoot: true
- list: "request.object.spec.initContainers"
pattern:
securityContext:
runAsNonRoot: true
- list: "request.object.spec.ephemeralContainers"
pattern:
securityContext:
runAsNonRoot: true