mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-09 01:16:55 +00:00
Code Activity
kyverno/samples/best_practices/deny_runasrootuser.yaml
Shuting Zhao 61808837fb update description
2019-10-14 13:58:47 -07:00

27 lines
No EOL
886 B
YAML
Raw Blame History

apiVersion: kyverno.io/v1alpha1
kind: ClusterPolicy
metadata:
name: validate-deny-runasrootuser
annotations:
policies.kyverno.io/category: Security Context
policies.kyverno.io/description: |
By default, processes in a container run as a root user (uid 0). To prevent potential compromise of container hosts, specify a least privileged user ID when building the container image and require that application containers run as non root users.
spec:
validationFailureAction: "audit"
rules:
- name: deny-runasrootuser
match:
resources:
kinds:
- Pod
validate:
message: "Root user is not allowed. Set runAsNonRoot to true."
anyPattern:
- spec:
securityContext:
runAsNonRoot: true
- spec:
containers:
- name: "*"
securityContext:
runAsNonRoot: true
View git blame Copy permalink