All Policies

Require Non-Root Groups

Containers should be forbidden from running with a root primary or supplementary GID. This policy ensures the `runAsGroup`, `supplementalGroups`, and `fsGroup` fields are set to a number greater than zero (i.e., non root). A known issue prevents a policy such as this using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2.

Policy Definition

/other/require-non-root-groups/require-non-root-groups.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: require-non-root-groups
 5  annotations:
 6    policies.kyverno.io/title: Require Non-Root Groups
 7    policies.kyverno.io/category: Sample, EKS Best Practices
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/minversion: 1.3.6
10    kyverno.io/kyverno-version: 1.6.0
11    kyverno.io/kubernetes-version: "1.22-1.23"
12    policies.kyverno.io/subject: Pod
13    policies.kyverno.io/description: >-
14      Containers should be forbidden from running with a root primary or supplementary GID.
15      This policy ensures the `runAsGroup`, `supplementalGroups`, and `fsGroup` fields are set to a number
16      greater than zero (i.e., non root). A known issue prevents a policy such as this
17      using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2.
18spec:
19  validationFailureAction: Audit
20  background: true
21  rules:
22    - name: check-runasgroup
23      match:
24        any:
25        - resources:
26            kinds:
27              - Pod
28      validate:
29        message: >-
30          Running with root group IDs is disallowed. The fields
31          spec.securityContext.runAsGroup, spec.containers[*].securityContext.runAsGroup,
32          spec.initContainers[*].securityContext.runAsGroup, and
33          spec.ephemeralContainers[*].securityContext.runAsGroup must be
34          set to a value greater than zero.
35        anyPattern:
36        - spec:
37            securityContext:
38              runAsGroup: ">0"
39            =(ephemeralContainers):
40              - =(securityContext):
41                  =(runAsGroup): ">0"
42            =(initContainers):
43              - =(securityContext):
44                  =(runAsGroup): ">0"
45            containers:
46              - =(securityContext):
47                  =(runAsGroup): ">0"
48        - spec:
49            =(ephemeralContainers):
50              - securityContext:
51                  runAsGroup: ">0"
52            =(initContainers):
53              - securityContext:
54                  runAsGroup: ">0"
55            containers:
56              - securityContext:
57                  runAsGroup: ">0"
58    - name: check-supplementalgroups
59      match:
60        any:
61        - resources:
62            kinds:
63              - Pod
64      validate:
65        message: >-
66          Containers cannot run with a root primary or supplementary GID. The field
67          spec.securityContext.supplementalGroups must be unset or
68          set to a value greater than zero.
69        pattern:
70          spec:
71            =(securityContext):
72              =(supplementalGroups): ">0"
73    - name: check-fsgroup
74      match:
75        any:
76        - resources:
77            kinds:
78              - Pod
79      validate:
80        message: >-
81          Containers cannot run with a root primary or supplementary GID. The field
82          spec.securityContext.fsGroup must be unset or set to a value greater than zero.
83        pattern:
84          spec:
85            =(securityContext):
86              =(fsGroup): ">0"
Create policy issue