Best Practice Policies

Best practice	Policy
Run as non-root user	deny_runasrootuser.yaml

Additional Policies

Description	Policy	Details
Check userID, groupIP & fsgroup used inside a Pod	Restrict the range of ids used inside a Pod	All processes inside the pod can be made to run with specific user and groupID by setting runAsUser and runAsGroup respectively. fsGroup can be specified to make sure any file created in the volume with have the specified groupID.
Assign Linux capabilities inside Pod	Verify capabilities add in a Pod	Linux divides the privileges traditionally, associated with superuser into distinct units, known as capabilities, which can be independently enabled and disabled by specifying them in capabilities section of securityContext. [List of linux capabilities](https://github.com/torvalds/linux/blob/master/include/uapi/linux/capability.h
Configure kernel parameters	The minimum and maximum port a network connection can use as its source(local) port can be validating by checking net.ipv4.ip_local_port_range	Sysctl interface allows to modify kernel parameters at runtime and can be specified in the sysctls section of securityContext. list of supported namespaced sysctl interfaces