All Policies
Require Non Root Groups
Containers should be forbidden from running with a root primary or supplementary GID. This policy ensures the `runAsGroup`, `supplementalGroups`, and `fsGroup` fields are set to a number greater than zero (i.e., non root).
Policy Definition
/pod-security/restricted/require-non-root-groups/require-non-root-groups.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: require-non-root-groups
5 annotations:
6 policies.kyverno.io/category: Pod Security Standards (Restricted)
7 policies.kyverno.io/severity: medium
8 policies.kyverno.io/minversion: 1.3.6
9 policies.kyverno.io/subject: Pod
10 policies.kyverno.io/description: >-
11 Containers should be forbidden from running with a root primary or supplementary GID.
12 This policy ensures the `runAsGroup`, `supplementalGroups`, and `fsGroup` fields are set to a number
13 greater than zero (i.e., non root).
14spec:
15 background: true
16 validationFailureAction: audit
17 rules:
18 - name: check-runasgroup
19 match:
20 resources:
21 kinds:
22 - Pod
23 validate:
24 message: >-
25 Running with root group IDs is disallowed. The fields
26 spec.securityContext.runAsGroup, spec.containers[*].securityContext.runAsGroup,
27 and spec.initContainers[*].securityContext.runAsGroup must be empty
28 or greater than zero.
29 pattern:
30 spec:
31 =(securityContext):
32 =(runAsGroup): ">0"
33 =(initContainers):
34 - =(securityContext):
35 =(runAsGroup): ">0"
36 containers:
37 - =(securityContext):
38 =(runAsGroup): ">0"
39 - name: check-supplementalGroups
40 match:
41 resources:
42 kinds:
43 - Pod
44 validate:
45 message: >-
46 Adding of supplemental group IDs is not allowed. The field
47 spec.securityContext.supplementalGroups must not be defined.
48 pattern:
49 spec:
50 =(securityContext):
51 =(supplementalGroups): ">0"
52 - name: check-fsGroup
53 match:
54 resources:
55 kinds:
56 - Pod
57 validate:
58 message: >-
59 Changing to root group ID is disallowed. The field
60 spec.securityContext.fsGroup must be empty or greater than zero.
61 pattern:
62 spec:
63 =(securityContext):
64 =(fsGroup): ">0"
65