All Policies

Require runAsNonRoot

Containers must be required to run as non-root users. This policy ensures `runAsNonRoot` is set to `true`. A known issue prevents a policy such as this using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2.

Policy Definition

/pod-security/restricted/require-run-as-nonroot/require-run-as-nonroot.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: require-run-as-nonroot
 5  annotations:
 6    policies.kyverno.io/title: Require runAsNonRoot
 7    policies.kyverno.io/category: Pod Security Standards (Restricted)
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Pod
10    kyverno.io/kyverno-version: 1.6.0
11    kyverno.io/kubernetes-version: "1.22-1.23"
12    policies.kyverno.io/description: >-
13      Containers must be required to run as non-root users. This policy ensures
14      `runAsNonRoot` is set to `true`. A known issue prevents a policy such as this
15      using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2.      
16spec:
17  validationFailureAction: audit
18  background: true
19  rules:
20    - name: run-as-non-root
21      match:
22        any:
23        - resources:
24            kinds:
25              - Pod
26      validate:
27        message: >-
28          Running as root is not allowed. Either the field spec.securityContext.runAsNonRoot
29          must be set to `true`, or the fields spec.containers[*].securityContext.runAsNonRoot,
30          spec.initContainers[*].securityContext.runAsNonRoot, and spec.ephemeralContainers[*].securityContext.runAsNonRoot
31          must be set to `true`.          
32        anyPattern:
33        - spec:
34            securityContext:
35              runAsNonRoot: "true"
36            =(ephemeralContainers):
37            - =(securityContext):
38                =(runAsNonRoot): "true"
39            =(initContainers):
40            - =(securityContext):
41                =(runAsNonRoot): "true"
42            containers:
43            - =(securityContext):
44                =(runAsNonRoot): "true"
45        - spec:
46            =(ephemeralContainers):
47            - securityContext:
48                runAsNonRoot: "true"
49            =(initContainers):
50            - securityContext:
51                runAsNonRoot: "true"
52            containers:
53            - securityContext:
54                runAsNonRoot: "true"