homelab-gitops/platform/kyverno/policies/20-require/require-readonly-root-filesystem.yaml
gwg313 baa0216960
add kyverno policies
Signed-off-by: gwg313 <gwg313@pm.me>
2026-05-28 20:09:06 -04:00

38 lines
1 KiB
YAML

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: require-readonly-root-filesystem
annotations:
policies.kyverno.io/title: Require Read-Only Root Filesystem
policies.kyverno.io/category: Pod Security
policies.kyverno.io/severity: high
spec:
validationFailureAction: Audit
background: true
rules:
- name: require-readonly-root-filesystem
match:
any:
- resources:
kinds:
- Pod
validate:
message: "Containers must use readOnlyRootFilesystem=true."
foreach:
- list: "request.object.spec.containers"
pattern:
securityContext:
readOnlyRootFilesystem: true
- list: "request.object.spec.initContainers"
pattern:
securityContext:
readOnlyRootFilesystem: true
- list: "request.object.spec.ephemeralContainers"
pattern:
securityContext:
readOnlyRootFilesystem: true