Restricted

Heavily restricted policies following current Pod hardening best practices.

To apply the Default and Restricted policies install Kyverno and run the following kustomize command:

kustomize build https://github.com/kyverno/policies/pod-security/restricted/ | kubectl apply -f -

This command installs all policies with validateFailureAction: enforce and hence will block resources that violate policies. Alternatively, you can clone the Git repo to install the policies.


Deny Privilege Escalation

Privilege escalation, such as via set-user-ID or set-group-ID file mode, should not be allowed.

Require Non Root Groups

Containers should be forbidden from running with a root primary or supplementary GID.

Require Run As Non Root

Containers must be required to run as non-root users.

Restrict Seccomp

The runtime default seccomp profile must be required, or only specific additional profiles should be allowed.

Restrict Volume Types

In addition to restricting HostPath volumes, the restricted pod security profile limits usage of non-core volume types to those defined through PersistentVolumes.

Last modified January 22, 2021: add kustomize links and details (154604d)