Some containers must be built to run as root in order to function properly, but use of those images should be carefully restricted to prevent unneeded privileges. This policy blocks any image that runs as root if it does not come from a trustworthy registry, `ghcr.io` in this case.
apiVersion: kyverno.io/v1kind: ClusterPolicymetadata:name: only-trustworthy-registries-set-rootannotations:policies.kyverno.io/title: Only Trustworthy Registries Set Rootpolicies.kyverno.io/category: Other, EKS Best Practicespolicies.kyverno.io/severity: mediumkyverno.io/kyverno-version: 1.6.0policies.kyverno.io/minversion: 1.6.0kyverno.io/kubernetes-version: 1.22-1.23policies.kyverno.io/subject: Podpolicies.kyverno.io/description: Some containers must be built to run as root in order to function properly, but use of those images should be carefully restricted to prevent unneeded privileges. This policy blocks any image that runs as root if it does not come from a trustworthy registry, `ghcr.io` in this case.spec:validationFailureAction: Auditrules:- name: only-allow-trusted-imagesmatch:any:- resources:kinds:- Podpreconditions:all:- key: "{{request.operation || 'BACKGROUND'}}"operator: NotEqualsvalue: DELETEvalidate:message: Images with root user are not allowed to be pulled from any registry other than ghcr.io.foreach:- list: request.object.spec.containerscontext:- name: imageDataimageRegistry:reference: "{{ element.image }}"deny:conditions:all:- key: "{{ imageData.configData.config.User || ''}}"operator: Equalsvalue: ""- key: "{{ imageData.registry }}"operator: NotEqualsvalue: ghcr.io
This policy prevents the use of the default project in an Application.
Services of type LoadBalancer when deployed inside AWS have support for transport encryption if it is enabled via an annotation. This policy requires that Services of type LoadBalancer contain the annotation service.beta.kubernetes.io/aws-load-balancer-ssl-cert with some value.
This policy prevents updates to the project field after an Application is created.