fix disallow root user policy

2025-04-18 02:06:52 +00:00 · 2020-08-18 21:03:38 -07:00 · 2020-08-18 21:03:38 -07:00 · 293281596b
commit 293281596b
parent fc6da9c9e6
2 changed files with 9 additions and 7 deletions
--- a/samples/best_practices/disallow_privileged.yaml
+++ b/samples/best_practices/disallow_privileged.yaml
@ -22,8 +22,6 @@ spec:
        spec:
          containers:
          - =(securityContext):
-              # https://github.com/kubernetes/api/blob/7dc09db16fb8ff2eee16c65dc066c85ab3abb7ce/core/v1/types.go#L5707-L5711
-              # k8s default to false
              =(privileged): false
  - name: validate-allowPrivilegeEscalation
    match:
@ -36,6 +34,5 @@ spec:
        spec:
          containers:
          - securityContext:
-              # https://github.com/kubernetes/api/blob/7dc09db16fb8ff2eee16c65dc066c85ab3abb7ce/core/v1/types.go#L5754
              allowPrivilegeEscalation: false

--- a/samples/best_practices/disallow_root_user.yaml
+++ b/samples/best_practices/disallow_root_user.yaml
@ -16,14 +16,19 @@ spec:
        kinds:
        - Pod
    validate:
-      message: "Running as root user is not allowed. Set runAsNonRoot to true"
+      message: "Running as root is not allowed. Set runAsNonRoot to true, or use runAsUser"
      anyPattern:
      - spec:
          securityContext:
-            # https://github.com/kubernetes/api/blob/7dc09db16fb8ff2eee16c65dc066c85ab3abb7ce/core/v1/types.go#L3165
            runAsNonRoot: true
+      - spec:
+          securityContext:
+            runAsUser: ">0"
      - spec:
          containers:
          - securityContext:
-              # https://github.com/kubernetes/api/blob/7dc09db16fb8ff2eee16c65dc066c85ab3abb7ce/core/v1/types.go#L5742
-              runAsNonRoot: true
+              runAsNonRoot: true
+      - spec:
+          containers:
+          - securityContext:
+              runAsUser: ">0"