All Policies
Validate User ID, Group ID, and FS Group in CEL expressions
All processes inside a Pod can be made to run with specific user and groupID by setting `runAsUser` and `runAsGroup` respectively. `fsGroup` can be specified to make sure any file created in the volume will have the specified groupID. This policy validates that these fields are set to the defined values.
Policy Definition
/other-cel/restrict-usergroup-fsgroup-id/restrict-usergroup-fsgroup-id.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: validate-userid-groupid-fsgroup
5 annotations:
6 policies.kyverno.io/title: Validate User ID, Group ID, and FS Group in CEL expressions
7 policies.kyverno.io/category: Sample in CEL
8 policies.kyverno.io/severity: medium
9 policies.kyverno.io/subject: Pod
10 policies.kyverno.io/minversion: 1.11.0
11 kyverno.io/kyverno-version: 1.11.0
12 kyverno.io/kubernetes-version: "1.26-1.27"
13 policies.kyverno.io/description: >-
14 All processes inside a Pod can be made to run with specific user and groupID
15 by setting `runAsUser` and `runAsGroup` respectively. `fsGroup` can be specified
16 to make sure any file created in the volume will have the specified groupID.
17 This policy validates that these fields are set to the defined values.
18spec:
19 validationFailureAction: Audit
20 background: true
21 rules:
22 - name: validate-userid-groupid-fsgroup
23 match:
24 any:
25 - resources:
26 kinds:
27 - Pod
28 operations:
29 - CREATE
30 - UPDATE
31 validate:
32 cel:
33 expressions:
34 - expression: "object.spec.?securityContext.?runAsUser.orValue(1) == 1000"
35 message: "User ID should be 1000."
36 - expression: "object.spec.?securityContext.?runAsGroup.orValue(1) == 3000"
37 message: "Group ID should be 3000."
38 - expression: "object.spec.?securityContext.?fsGroup.orValue(1) == 2000"
39 message: "fs Group should be 2000."