All Policies

Service Mesh Require runAsNonRoot

This policy is a variation of the Require runAsNonRoot policy that is a part of the Pod Security Standards (Restricted) category. It enforces the same control but with provisions for Istio's initContainer. For more information and context, see the Kyverno blog post at https://kyverno.io/blog/2024/02/04/securing-services-meshes-easier-with-kyverno/.

Policy Definition

/istio/service-mesh-require-run-as-nonroot/service-mesh-require-run-as-nonroot.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: service-mesh-require-run-as-nonroot
 5  annotations:
 6    policies.kyverno.io/title: Service Mesh Require runAsNonRoot
 7    policies.kyverno.io/category: Istio, Pod Security Standards (Restricted)
 8    policies.kyverno.io/severity: medium
 9    kyverno.io/kyverno-version: 1.12.3
10    kyverno.io/kubernetes-version: "1.28"
11    policies.kyverno.io/subject: Pod
12    policies.kyverno.io/description: >-
13      This policy is a variation of the Require runAsNonRoot policy that is a part of the
14      Pod Security Standards (Restricted) category. It enforces the same control but with
15      provisions for Istio's initContainer. For more information and context,
16      see the Kyverno blog post at https://kyverno.io/blog/2024/02/04/securing-services-meshes-easier-with-kyverno/.
17spec:
18  validationFailureAction: Audit
19  background: true
20  rules:
21    - name: run-as-non-root-istio
22      match:
23        any:
24        - resources:
25            kinds:
26              - Pod
27      validate:
28        message: >-
29          Running as root is not allowed. Either the field spec.securityContext.runAsNonRoot
30          must be set to `true`, or the fields spec.containers[*].securityContext.runAsNonRoot,
31          spec.initContainers[*].securityContext.runAsNonRoot, and spec.ephemeralContainers[*].securityContext.runAsNonRoot
32          must be set to `true`.          
33        anyPattern:
34        - spec:
35            securityContext:
36              runAsNonRoot: true
37            =(ephemeralContainers):
38            - =(securityContext):
39                =(runAsNonRoot): true
40            =(initContainers):
41            - (image): "!*istio/proxyv2*"
42              =(securityContext):
43                =(runAsNonRoot): true
44            containers:
45            - =(securityContext):
46                =(runAsNonRoot): true
47        - spec:
48            =(ephemeralContainers):
49            - securityContext:
50                runAsNonRoot: true
51            =(initContainers):
52            - (image): "!*istio/proxyv2*"
53              securityContext:
54                runAsNonRoot: true
55            containers:
56            - securityContext:
57                runAsNonRoot: true
Create policy issue