# infrastructure/kyverno/policies/require-non-root.yaml
# Requires containers to run as non-root user
# Security baseline: CIS Benchmark 5.2.6
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-run-as-non-root
  annotations:
    policies.kyverno.io/title: Require Run As Non-Root
    policies.kyverno.io/category: Pod Security Standards (Restricted)
    policies.kyverno.io/severity: high
    policies.kyverno.io/subject: Pod
    policies.kyverno.io/description: >-
      Running as root inside a container is a security risk. If a
      container breakout occurs, root in the container could become
      root on the host. This policy requires containers to run as
      a non-root user.
spec:
  validationFailureAction: Audit  # Audit first, Enforce after baseline
  background: true
  rules:
    - name: run-as-non-root
      match:
        any:
          - resources:
              kinds:
                - Pod
      exclude:
        any:
          - resources:
              namespaces:
                - kube-system
                - kyverno
                - istio-system
      validate:
        message: "Containers must run as non-root. Set runAsNonRoot: true or specify a non-root runAsUser."
        anyPattern:
          # Pattern 1: Pod-level runAsNonRoot
          - spec:
              securityContext:
                runAsNonRoot: true
          # Pattern 2: Container-level runAsNonRoot
          - spec:
              containers:
                - securityContext:
                    runAsNonRoot: true
          # Pattern 3: Explicit non-root UID (>= 1000)
          - spec:
              securityContext:
                runAsUser: ">999"
          - spec:
              containers:
                - securityContext:
                    runAsUser: ">999"