All Policies

Require runAsNonRoot in CEL

Containers must be required to run as non-root. This policy ensures `runAsNonRoot` is set to true.

Policy Definition

/pod-security-cel/restricted/require-run-as-nonroot/require-run-as-nonroot.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: require-run-as-nonroot
 5  annotations:
 6    policies.kyverno.io/title: Require runAsNonRoot in CEL
 7    policies.kyverno.io/category: Pod Security Standards (Restricted) in CEL
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Pod
10    policies.kyverno.io/minversion: 1.11.0
11    kyverno.io/kyverno-version: 1.11.0
12    kyverno.io/kubernetes-version: "1.26-1.27"
13    policies.kyverno.io/description: >-
14      Containers must be required to run as non-root. This policy ensures
15      `runAsNonRoot` is set to true.
16spec:
17  validationFailureAction: Audit
18  background: true
19  rules:
20    - name: run-as-non-root
21      match:
22        any:
23        - resources:
24            kinds:
25              - Pod
26            operations:
27            - CREATE
28            - UPDATE
29      validate:
30        cel:
31          expressions:
32            - expression: >-
33                (
34                    (
35                      has(object.spec.securityContext) &&
36                      has(object.spec.securityContext.runAsNonRoot) &&
37                      object.spec.securityContext.runAsNonRoot == true
38                    ) && (
39                      (
40                          object.spec.containers +
41                          (has(object.spec.initContainers) ? object.spec.initContainers : []) +
42                          (has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers : [])
43                      ).all(container,
44                          !has(container.securityContext) ||
45                          !has(container.securityContext.runAsNonRoot) ||
46                          container.securityContext.runAsNonRoot == true)
47                    )
48                ) || (
49                    (
50                        object.spec.containers +
51                        (has(object.spec.initContainers) ? object.spec.initContainers : []) +
52                        (has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers : [])
53                    ).all(container,
54                        has(container.securityContext) &&
55                        has(container.securityContext.runAsNonRoot) &&
56                        container.securityContext.runAsNonRoot == true)
57                )
58              message: >-
59                Running as root is not allowed. Either the field spec.securityContext.runAsNonRoot or all of
60                spec.containers[*].securityContext.runAsNonRoot, spec.initContainers[*].securityContext.runAsNonRoot and
61                spec.ephemeralContainers[*].securityContext.runAsNonRoot, must be set to true.
62
Create policy issue