Privilege escalation, such as via set-user-ID or set-group-ID file mode, should not be allowed.
kustomize build https://github.com/kyverno/policies/pod-security/restricted/ | kubectl apply -f -
This command installs all policies with
validateFailureAction: enforce and hence will block resources that violate policies. Alternatively, you can clone the Git repo to install the policies.
Containers should be forbidden from running with a root primary or supplementary GID.
Containers must be required to run as non-root users.
The runtime default seccomp profile must be required, or only specific additional profiles should be allowed.
In addition to restricting HostPath volumes, the restricted pod security profile limits usage of non-core volume types to those defined through PersistentVolumes.