kyverno/samples/best_practices/disallow_root_user.yaml

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: disallow-root-user
  annotations:
    policies.kyverno.io/category: Security
    policies.kyverno.io/description: By default, processes in a container run as a 
      root user (uid 0). To prevent potential compromise of container hosts, specify a 
      least privileged user ID when building the container image and require that 
      application containers run as non root users.
spec:
  rules:
  - name: validate-runAsNonRoot
    match:
      resources:
        kinds:
        - Pod
    validate:
      message: "Running as root is not allowed. Set runAsNonRoot to true, or use runAsUser"
      anyPattern:
      - spec:
          securityContext:
            runAsNonRoot: true
      - spec:
          securityContext:
            runAsUser: ">0"
      - spec:
          containers:
          - securityContext:
              runAsNonRoot: true
      - spec:
          containers:
          - securityContext:
              runAsUser: ">0"
update api in samples/ 2019-11-13 13:56:20 -08:00			`apiVersion: kyverno.io/v1`
inital commit, add samples folder 2019-10-08 18:40:15 -07:00			`kind: ClusterPolicy`
			`metadata:`
update disallow_root_user 2019-11-08 19:25:43 -08:00			`name: disallow-root-user`
Provide descriptions for policies 2019-10-11 18:57:16 -07:00			`annotations:`
update disallow_root_user 2019-11-08 19:25:43 -08:00			`policies.kyverno.io/category: Security`
update description format 2019-10-14 16:33:19 -07:00			`policies.kyverno.io/description: By default, processes in a container run as a`
			`root user (uid 0). To prevent potential compromise of container hosts, specify a`
			`least privileged user ID when building the container image and require that`
			`application containers run as non root users.`
inital commit, add samples folder 2019-10-08 18:40:15 -07:00			`spec:`
			`rules:`
update disallow_root_user 2019-11-08 19:25:43 -08:00			`- name: validate-runAsNonRoot`
inital commit, add samples folder 2019-10-08 18:40:15 -07:00			`match:`
			`resources:`
			`kinds:`
			`- Pod`
			`validate:`
fix disallow root user policy 2020-08-18 21:03:38 -07:00			`message: "Running as root is not allowed. Set runAsNonRoot to true, or use runAsUser"`
inital commit, add samples folder 2019-10-08 18:40:15 -07:00			`anyPattern:`
			`- spec:`
			`securityContext:`
			`runAsNonRoot: true`
fix disallow root user policy 2020-08-18 21:03:38 -07:00			`- spec:`
			`securityContext:`
			`runAsUser: ">0"`
			`- spec:`
			`containers:`
			`- securityContext:`
			`runAsNonRoot: true`
inital commit, add samples folder 2019-10-08 18:40:15 -07:00			`- spec:`
			`containers:`
add anchors for omitempty tag 2019-12-30 13:53:51 -08:00			`- securityContext:`
fix disallow root user policy 2020-08-18 21:03:38 -07:00			`runAsUser: ">0"`