Deny Privilege Escalation
Privilege escalation, such as via set-user-ID or set-group-ID file mode, should not be allowed.
Restricted
Heavily restricted policies following current Pod hardening best practices.
To apply the Default and Restricted policies install Kyverno and run the following kustomize command:
kustomize build https://github.com/kyverno/policies/pod-security/restricted/ | kubectl apply -f -
This command installs all policies with validateFailureAction: enforce and hence will block resources that violate policies. Alternatively, you can clone the Git repo to install the policies.
Require Non Root Groups
Containers should be forbidden from running with a root primary or supplementary GID.
Require Run As Non Root
Containers must be required to run as non-root users.
Restrict Seccomp
The runtime default seccomp profile must be required, or only specific additional profiles should be allowed.
Restrict Volume Types
In addition to restricting HostPath volumes, the restricted pod security profile limits usage of non-core volume types to those defined through PersistentVolumes.
Last modified January 22, 2021: add kustomize links and details (154604d)