ghndrx/homelab-gitops
1
0
Fork 0
mirror of https://github.com/ghndrx/homelab-gitops.git synced 2026-02-10 06:44:57 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
homelab-gitops/infrastructure/kyverno/policies/require-non-root.yaml
Greg Hendrickson 3752fd0386 feat(kyverno): add policy engine with security baseline 
- Kyverno 3.3.4 via Helm (HA config: 3 admission, 2 background replicas)
- Validation policies:
  - disallow-privileged-containers (Enforce)
  - require-resource-limits (Enforce)
  - require-labels (Audit - standard k8s labels)
  - require-run-as-non-root (Audit)
  - disallow-latest-tag (Enforce - GitOps reproducibility)
- Mutating policy:
  - add-default-securitycontext (seccomp, drop caps, read-only fs)
- System namespaces excluded (kube-system, kyverno, istio-system)
- Auto-discovered by ArgoCD ApplicationSet

Reference: CIS Kubernetes Benchmark, Pod Security Standards
2026-02-09 18:02:21 +00:00

55 lines
1.8 KiB
YAML
Raw Permalink Blame History

# infrastructure/kyverno/policies/require-non-root.yaml
# Requires containers to run as non-root user
# Security baseline: CIS Benchmark 5.2.6
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: require-run-as-non-root
annotations:
policies.kyverno.io/title: Require Run As Non-Root
policies.kyverno.io/category: Pod Security Standards (Restricted)
policies.kyverno.io/severity: high
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
Running as root inside a container is a security risk. If a
container breakout occurs, root in the container could become
root on the host. This policy requires containers to run as
a non-root user.
spec:
validationFailureAction: Audit # Audit first, Enforce after baseline
background: true
rules:
- name: run-as-non-root
match:
any:
- resources:
kinds:
- Pod
exclude:
any:
- resources:
namespaces:
- kube-system
- kyverno
- istio-system
validate:
message: "Containers must run as non-root. Set runAsNonRoot: true or specify a non-root runAsUser."
anyPattern:
# Pattern 1: Pod-level runAsNonRoot
- spec:
securityContext:
runAsNonRoot: true
# Pattern 2: Container-level runAsNonRoot
- spec:
containers:
- securityContext:
runAsNonRoot: true
# Pattern 3: Explicit non-root UID (>= 1000)
- spec:
securityContext:
runAsUser: ">999"
- spec:
containers:
- securityContext:
runAsUser: ">999"
Reference in New Issue View Git Blame Copy Permalink