All Policies
Require Run As Non Root
Containers must be required to run as non-root users. This policy ensures `runAsNonRoot` is set to `true`.
Policy Definition
/pod-security/restricted/require-run-as-nonroot/require-run-as-nonroot.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: require-run-as-non-root
5 annotations:
6 policies.kyverno.io/category: Pod Security Standards (Restricted)
7 policies.kyverno.io/severity: medium
8 policies.kyverno.io/subject: Pod
9 policies.kyverno.io/description: >-
10 Containers must be required to run as non-root users. This policy ensures
11 `runAsNonRoot` is set to `true`.
12spec:
13 validationFailureAction: audit
14 background: true
15 rules:
16 - name: check-containers
17 match:
18 resources:
19 kinds:
20 - Pod
21 validate:
22 message: >-
23 Running as root is not allowed. The fields spec.securityContext.runAsNonRoot,
24 spec.containers[*].securityContext.runAsNonRoot, and
25 spec.initContainers[*].securityContext.runAsNonRoot must be `true`.
26 anyPattern:
27 - spec:
28 securityContext:
29 runAsNonRoot: true
30 containers:
31 - =(securityContext):
32 =(runAsNonRoot): true
33 =(initContainers):
34 - =(securityContext):
35 =(runAsNonRoot): true
36 - spec:
37 containers:
38 - securityContext:
39 runAsNonRoot: true
40 =(initContainers):
41 - securityContext:
42 runAsNonRoot: true
43