Containers must be required to run as non-root users. This policy ensures `runAsNonRoot` is set to `true`. A known issue prevents a policy such as this using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2.
apiVersion: kyverno.io/v1kind: ClusterPolicymetadata:name: require-run-as-nonrootannotations:policies.kyverno.io/title: Require runAsNonRootpolicies.kyverno.io/category: Pod Security Standards (Restricted)policies.kyverno.io/severity: mediumpolicies.kyverno.io/subject: Podkyverno.io/kyverno-version: 1.6.0kyverno.io/kubernetes-version: 1.22-1.23policies.kyverno.io/description: Containers must be required to run as non-root users. This policy ensures `runAsNonRoot` is set to `true`. A known issue prevents a policy such as this using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2.spec:validationFailureAction: Auditbackground: truerules:- name: run-as-non-rootmatch:any:- resources:kinds:- Podvalidate:message: Running as root is not allowed. Either the field spec.securityContext.runAsNonRoot must be set to `true`, or the fields spec.containers[*].securityContext.runAsNonRoot, spec.initContainers[*].securityContext.runAsNonRoot, and spec.ephemeralContainers[*].securityContext.runAsNonRoot must be set to `true`.anyPattern:- spec:securityContext:runAsNonRoot: "true""=(ephemeralContainers)":- "=(securityContext)":"=(runAsNonRoot)": "true""=(initContainers)":- "=(securityContext)":"=(runAsNonRoot)": "true"containers:- "=(securityContext)":"=(runAsNonRoot)": "true"- spec:"=(ephemeralContainers)":- securityContext:runAsNonRoot: "true""=(initContainers)":- securityContext:runAsNonRoot: "true"containers:- securityContext:runAsNonRoot: "true"
This policy prevents the use of the default project in an Application.
This policy prevents updates to the project field after an Application is created.
This policy ensures that the name of the ApplicationSet is the same value provided in the project.