Validate User ID, Group ID, and FS Group

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: validate-userid-groupid-fsgroup
 5  annotations:
 6    policies.kyverno.io/title: Validate User ID, Group ID, and FS Group
 7    policies.kyverno.io/category: Sample
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Pod
10    policies.kyverno.io/minversion: 1.6.0
11    policies.kyverno.io/description: >-
12      All processes inside a Pod can be made to run with specific user and groupID
13      by setting `runAsUser` and `runAsGroup` respectively. `fsGroup` can be specified
14      to make sure any file created in the volume will have the specified groupID.
15      This policy validates that these fields are set to the defined values.
16spec:
17  validationFailureAction: Audit
18  background: true
19  rules:
20  - name: validate-userid
21    match:
22      any:
23      - resources:
24          kinds:
25          - Pod
26    validate:
27      message: "User ID should be 1000."
28      pattern:
29        spec:
30          securityContext:
31            runAsUser: '1000'
32  - name: validate-groupid
33    match:
34      any:
35      - resources:
36          kinds:
37          - Pod
38    validate:
39      message: "Group ID should be 3000."
40      pattern:
41        spec:
42          securityContext:
43            runAsGroup: '3000'
44  - name: validate-fsgroup
45    match:
46      any:
47      - resources:
48          kinds:
49          - Pod
50    validate:
51      message: "fsgroup should be 2000."
52      pattern:
53        spec:
54          securityContext:
55            fsGroup: '2000'