Require Non Root Groups

Containers should be forbidden from running with a root primary or supplementary GID. This policy ensures the `runAsGroup`, `supplementalGroups`, and `fsGroup` fields are set to a number greater than zero (i.e., non root).

Policy Definition

/pod-security/restricted/require-non-root-groups/require-non-root-groups.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: require-non-root-groups
 5  annotations:
 6    policies.kyverno.io/category: Pod Security Standards (Restricted)
 7    policies.kyverno.io/severity: medium
 8    policies.kyverno.io/minversion: 1.3.6
 9    policies.kyverno.io/subject: Pod
10    policies.kyverno.io/description: >-
11      Containers should be forbidden from running with a root primary or supplementary GID.
12      This policy ensures the `runAsGroup`, `supplementalGroups`, and `fsGroup` fields are set to a number
13      greater than zero (i.e., non root).      
14spec:
15  background: true
16  validationFailureAction: audit
17  rules:
18    - name: check-runasgroup
19      match:
20        resources:
21          kinds:
22            - Pod
23      validate:
24        message: >-
25          Running with root group IDs is disallowed. The fields	
26          spec.securityContext.runAsGroup, spec.containers[*].securityContext.runAsGroup,	
27          and spec.initContainers[*].securityContext.runAsGroup must be empty	
28          or greater than zero.          
29        pattern:
30          spec:
31            =(securityContext):
32              =(runAsGroup): ">0"
33            =(initContainers):
34              - =(securityContext):
35                  =(runAsGroup): ">0"
36            containers:
37              - =(securityContext):
38                  =(runAsGroup): ">0"
39    - name: check-supplementalGroups
40      match:
41        resources:
42          kinds:
43            - Pod
44      validate:
45        message: >-
46          Adding of supplemental group IDs is not allowed. The field	
47          spec.securityContext.supplementalGroups must not be defined.          
48        pattern:
49          spec:
50            =(securityContext):
51              =(supplementalGroups): ">0"
52    - name: check-fsGroup
53      match:
54        resources:
55          kinds:
56            - Pod
57      validate:
58        message: >-
59          Changing to root group ID is disallowed. The field
60          spec.securityContext.fsGroup must be empty or greater than zero.          
61        pattern:
62          spec:
63            =(securityContext):
64              =(fsGroup): ">0"
65

Create policy issue