feat(kyverno): add policy engine with security baseline

- Kyverno 3.3.4 via Helm (HA config: 3 admission, 2 background replicas) - Validation policies: - disallow-privileged-containers (Enforce) - require-resource-limits (Enforce) - require-labels (Audit - standard k8s labels) - require-run-as-non-root (Audit) - disallow-latest-tag (Enforce - GitOps reproducibility) - Mutating policy: - add-default-securitycontext (seccomp, drop caps, read-only fs) - System namespaces excluded (kube-system, kyverno, istio-system) - Auto-discovered by ArgoCD ApplicationSet Reference: CIS Kubernetes Benchmark, Pod Security Standards
2026-02-10 06:44:57 +00:00 · 2026-02-09 18:02:21 +00:00
parent 124a29a0a9
commit 3752fd0386
10 changed files with 445 additions and 0 deletions
--- a/infrastructure/kyverno/policies/require-non-root.yaml
+++ b/infrastructure/kyverno/policies/require-non-root.yaml
@@ -0,0 +1,54 @@
+# infrastructure/kyverno/policies/require-non-root.yaml
+# Requires containers to run as non-root user
+# Security baseline: CIS Benchmark 5.2.6
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: require-run-as-non-root
+  annotations:
+    policies.kyverno.io/title: Require Run As Non-Root
+    policies.kyverno.io/category: Pod Security Standards (Restricted)
+    policies.kyverno.io/severity: high
+    policies.kyverno.io/subject: Pod
+    policies.kyverno.io/description: >-
+      Running as root inside a container is a security risk. If a
+      container breakout occurs, root in the container could become
+      root on the host. This policy requires containers to run as
+      a non-root user.
+spec:
+  validationFailureAction: Audit  # Audit first, Enforce after baseline
+  background: true
+  rules:
+    - name: run-as-non-root
+      match:
+        any:
+          - resources:
+              kinds:
+                - Pod
+      exclude:
+        any:
+          - resources:
+              namespaces:
+                - kube-system
+                - kyverno
+                - istio-system
+      validate:
+        message: "Containers must run as non-root. Set runAsNonRoot: true or specify a non-root runAsUser."
+        anyPattern:
+          # Pattern 1: Pod-level runAsNonRoot
+          - spec:
+              securityContext:
+                runAsNonRoot: true
+          # Pattern 2: Container-level runAsNonRoot
+          - spec:
+              containers:
+                - securityContext:
+                    runAsNonRoot: true
+          # Pattern 3: Explicit non-root UID (>= 1000)
+          - spec:
+              securityContext:
+                runAsUser: ">999"
+          - spec:
+              containers:
+                - securityContext:
+                    runAsUser: ">999"