kyverno

2026-02-17 13:20:52 +02:00
parent 6569a6c33b
commit 06307b4047
1 changed files with 27 additions and 11 deletions
--- a/templates/kyverno.yaml
+++ b/templates/kyverno.yaml
@@ -1,19 +1,35 @@
+---
+apiVersion: kyverno.io/v1
+kind: Policy
+metadata:
+  name: add-default-securitycontext
+  namespace: memelord-raiko
+spec:
+  rules:
+    - name: add-default-securitycontext
+      match:
+        any:
+          - resources:
+              kinds:
+                - Pod
+      mutate:
+        patchStrategicMerge:
+          spec:
+            securityContext:
+              +(runAsNonRoot): true
+              +(runAsUser): 1000
+              +(runAsGroup): 3000
+              +(fsGroup): 2000
+
+---
 apiVersion: kyverno.io/v1
 kind: Policy
 metadata:
  name: require-run-as-non-root-user
-  namespace: memelord-raiko
-  annotations:
-    policies.kyverno.io/title: Require Run As Non-Root User
-    policies.kyverno.io/category: Pod Security Standards (Restricted)
-    policies.kyverno.io/severity: medium
-    policies.kyverno.io/subject: Pod
-    kyverno.io/kyverno-version: 1.6.0
-    kyverno.io/kubernetes-version: 1.22-1.23
-    policies.kyverno.io/description: Containers must be required to run as non-root users. This policy ensures `runAsUser` is either unset or set to a number greater than zero.
+  namespace: memelord-laurivosandi
 spec:
-  validationFailureAction: Audit
-  background: true
+  validationFailureAction: Enforce
+  background: false
  rules:
    - name: run-as-non-root-user
      match: