apiVersion: kyverno.io/v1 kind: Policy metadata: name: require-user-groups annotations: policies.kyverno.io/category: Pod Security Standards policies.kyverno.io/severity: medium policies.kyverno.io/subject: Pod policies.kyverno.io/description: >- Containers should allow to run with a root primary or supplementary GID. spec: validationFailureAction: audit background: true rules: - name: allow users match: resources: kinds: - Pod selector: matchLabels: app.kubernetes.io/component: experiment-job validate: message: >- Running the user IDs are allowed. pattern: spec: =(securityContext): =(runAsUser): '>=0' containers: - =(securityContext): =(runAsUser): ">=0" - name: allow supplementary groups match: resources: kinds: - Pod selector: matchLabels: app.kubernetes.io/component: experiment-job validate: message: >- Adding of supplemental group IDs is allowed. pattern: spec: =(securityContext): =(supplementalGroups): - ">=0" - name: allow gs groups match: resources: kinds: - Pod selector: matchLabels: app.kubernetes.io/component: experiment-job validate: message: >- Changing to root group ID is allowed. pattern: spec: =(securityContext): =(fsGroup): ">=0"