All Policies

Require Run As Non Root

Containers must be required to run as non-root users. This policy ensures `runAsNonRoot` is set to `true`.

Policy Definition

/pod-security/restricted/require-run-as-nonroot/require-run-as-nonroot.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: require-run-as-non-root
 5  annotations:
 6    policies.kyverno.io/category: Pod Security Standards (Restricted)
 7    policies.kyverno.io/severity: medium
 8    policies.kyverno.io/subject: Pod
 9    policies.kyverno.io/description: >-
10      Containers must be required to run as non-root users. This policy ensures
11      `runAsNonRoot` is set to `true`.      
12spec:
13  validationFailureAction: audit
14  background: true
15  rules:
16  - name: check-containers
17    match:
18      resources:
19        kinds:
20        - Pod
21    validate:
22      message: >-
23        Running as root is not allowed. The fields spec.securityContext.runAsNonRoot,
24        spec.containers[*].securityContext.runAsNonRoot, and
25        spec.initContainers[*].securityContext.runAsNonRoot must be `true`.        
26      anyPattern:
27      - spec:
28          securityContext:
29            runAsNonRoot: true
30          containers:
31          - =(securityContext):
32              =(runAsNonRoot): true
33          =(initContainers):
34          - =(securityContext):
35              =(runAsNonRoot): true
36      - spec:
37          containers:
38          - securityContext:
39              runAsNonRoot: true
40          =(initContainers):
41          - securityContext:
42              runAsNonRoot: true
43