mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-07 08:26:53 +00:00
38 lines
1 KiB
Markdown
38 lines
1 KiB
Markdown
|
# Run as non-root user
|
||
|
|
|
||
|
|
By default, processes in a container run as a root user (uid 0). To prevent potential compromise of container hosts, specify a least privileged user ID when building the container image and require that application containers run as non root users i.e. set `runAsNonRoot` to `true`.
|
||
|
|
|
||
|
|
## Policy YAML
|
||
|
|
|
||
|
|
[deny_runasrootuser.yaml](best_practices/deny_runasrootuser.yaml)
|
||
|
|
|
||
|
|
````yaml
|
||
|
|
apiVersion: kyverno.io/v1alpha1
|
||
|
|
kind: ClusterPolicy
|
||
|
|
metadata:
|
||
|
|
name: validate-deny-runasrootuser
|
||
|
|
spec:
|
||
|
|
rules:
|
||
|
|
- name: deny-runasrootuser
|
||
|
|
match:
|
||
|
|
resources:
|
||
|
|
kinds:
|
||
|
|
- Pod
|
||
|
|
validate:
|
||
|
|
message: "Root user is not allowed. Set runAsNonRoot to true."
|
||
|
|
anyPattern:
|
||
|
|
- spec:
|
||
|
|
securityContext:
|
||
|
|
runAsNonRoot: true
|
||
|
|
- spec:
|
||
|
|
containers:
|
||
|
|
- name: "*"
|
||
|
|
securityContext:
|
||
|
|
runAsNonRoot: true
|
||
|
|
````
|
||
|
|
|
||
|
|
|
||
|
|
## Additional Information
|
||
|
|
|
||
|
|
* [Pod Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)
|