Back to Policies

Require runAsNonRoot

Containers must be required to run as non-root users. This policy ensures `runAsNonRoot` is set to `true`. A known issue prevents a policy such as this using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2.

View on GitHub

Policy Definition 

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-run-as-nonroot
  annotations:
    policies.kyverno.io/title: Require runAsNonRoot
    policies.kyverno.io/category: Pod Security Standards (Restricted)
    policies.kyverno.io/severity: medium
    policies.kyverno.io/subject: Pod
    kyverno.io/kyverno-version: 1.6.0
    kyverno.io/kubernetes-version: 1.22-1.23
    policies.kyverno.io/description: Containers must be required to run as non-root users. This policy ensures `runAsNonRoot` is set to `true`. A known issue prevents a policy such as this using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2.
spec:
  validationFailureAction: Audit
  background: true
  rules:
    - name: run-as-non-root
      match:
        any:
          - resources:
              kinds:
                - Pod
      validate:
        message: Running as root is not allowed. Either the field spec.securityContext.runAsNonRoot must be set to `true`, or the fields spec.containers[*].securityContext.runAsNonRoot, spec.initContainers[*].securityContext.runAsNonRoot, and spec.ephemeralContainers[*].securityContext.runAsNonRoot must be set to `true`.
        anyPattern:
          - spec:
              securityContext:
                runAsNonRoot: "true"
              "=(ephemeralContainers)":
                - "=(securityContext)":
                    "=(runAsNonRoot)": "true"
              "=(initContainers)":
                - "=(securityContext)":
                    "=(runAsNonRoot)": "true"
              containers:
                - "=(securityContext)":
                    "=(runAsNonRoot)": "true"
          - spec:
              "=(ephemeralContainers)":
                - securityContext:
                    runAsNonRoot: "true"
              "=(initContainers)":
                - securityContext:
                    runAsNonRoot: "true"
              containers:
                - securityContext:
                    runAsNonRoot: "true"

Related Policies

ValidateMedium

Application Field Validation in CEL expressions

This policy performs some best practices validation on Application fields. Path or chart must be specified but never both. And destination.name or destination.server must be specified but never both.

Application
ValidateMedium

Prevent Use of Default Project in CEL expressions

This policy prevents the use of the default project in an Application.

Application
ValidateMedium

Prevent Updates to Project in CEL expressions

This policy prevents updates to the project field after an Application is created.

Application