All Policies

Require runAsNonRoot in CEL

Containers must be required to run as non-root. This policy ensures `runAsNonRoot` is set to true.

Policy Definition

/pod-security-cel/restricted/require-run-as-nonroot/require-run-as-nonroot.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: require-run-as-nonroot
 5  annotations:
 6    policies.kyverno.io/title: Require runAsNonRoot in CEL
 7    policies.kyverno.io/category: Pod Security Standards (Restricted) in CEL
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Pod
10    policies.kyverno.io/minversion: 1.11.0
11    kyverno.io/kyverno-version: 1.11.0
12    kyverno.io/kubernetes-version: "1.26-1.27"
13    policies.kyverno.io/description: >-
14      Containers must be required to run as non-root. This policy ensures
15      `runAsNonRoot` is set to true.      
16spec:
17  validationFailureAction: Audit
18  background: true
19  rules:
20    - name: run-as-non-root
21      match:
22        any:
23        - resources:
24            kinds:
25              - Pod
26      validate:
27        cel:
28          expressions:
29            - expression: >-
30                (
31                    (
32                      has(object.spec.securityContext) &&
33                      has(object.spec.securityContext.runAsNonRoot) &&
34                      object.spec.securityContext.runAsNonRoot == true
35                    ) && (
36                      (
37                          object.spec.containers +
38                          (has(object.spec.initContainers) ? object.spec.initContainers : []) +
39                          (has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers : [])
40                      ).all(container,
41                          !has(container.securityContext) ||
42                          !has(container.securityContext.runAsNonRoot) ||
43                          container.securityContext.runAsNonRoot == true)
44                    )
45                ) || (
46                    (
47                        object.spec.containers +
48                        (has(object.spec.initContainers) ? object.spec.initContainers : []) +
49                        (has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers : [])
50                    ).all(container,
51                        has(container.securityContext) &&
52                        has(container.securityContext.runAsNonRoot) &&
53                        container.securityContext.runAsNonRoot == true)
54                )                
55              message: >-
56                Running as root is not allowed. Either the field spec.securityContext.runAsNonRoot or all of
57                spec.containers[*].securityContext.runAsNonRoot, spec.initContainers[*].securityContext.runAsNonRoot and
58                spec.ephemeralContainers[*].securityContext.runAsNonRoot, must be set to true.
59
Create policy issue