---
apiVersion: kyverno.io/v1
kind: Policy
metadata:
  name: add-default-securitycontext
  namespace: memelord-raiko
spec:
  rules:
    - name: add-default-securitycontext
      match:
        any:
          - resources:
              kinds:
                - Pod
      mutate:
        patchStrategicMerge:
          spec:
            securityContext:
              +(runAsNonRoot): true
              +(runAsUser): 1000
              +(runAsGroup): 3000
              +(fsGroup): 2000

---
apiVersion: kyverno.io/v1
kind: Policy
metadata:
  name: require-run-as-non-root-user
  namespace: memelord-raiko
spec:
  validationFailureAction: Enforce
  background: false
  rules:
    - name: run-as-non-root-user
      match:
        any:
          - resources:
              kinds:
                - Pod
      validate:
        message: Running as root is not allowed. The fields spec.securityContext.runAsUser, spec.containers[*].securityContext.runAsUser, spec.initContainers[*].securityContext.runAsUser, and spec.ephemeralContainers[*].securityContext.runAsUser must be unset or set to a number greater than zero.
        pattern:
          spec:
            "=(securityContext)":
              "=(runAsUser)": ">0"
            "=(ephemeralContainers)":
              - "=(securityContext)":
                  "=(runAsUser)": ">0"
            "=(initContainers)":
              - "=(securityContext)":
                  "=(runAsUser)": ">0"
            containers:
              - "=(securityContext)":
                  "=(runAsUser)": ">0"