Validate User ID, Group ID, and FS Group

All processes inside a Pod can be made to run with specific user and groupID by setting `runAsUser` and `runAsGroup` respectively. `fsGroup` can be specified to make sure any file created in the volume will have the specified groupID. This policy validates that these fields are set to the defined values.

Policy Definition

/other/restrict_usergroup_fsgroup_id.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: validate-userid-groupid-fsgroup
 5  annotations:
 6    policies.kyverno.io/title: Validate User ID, Group ID, and FS Group 
 7    policies.kyverno.io/category: Sample
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Pod
10    policies.kyverno.io/description: >-
11      All processes inside a Pod can be made to run with specific user and groupID 
12      by setting `runAsUser` and `runAsGroup` respectively. `fsGroup` can be specified 
13      to make sure any file created in the volume will have the specified groupID. 
14      This policy validates that these fields are set to the defined values.      
15spec:
16  rules:
17  - name: validate-userid
18    match:
19      resources:
20        kinds:
21        - Pod
22    validate:
23      message: "User ID should be 1000."
24      pattern:
25        spec:
26          securityContext:
27            runAsUser: '1000'
28  - name: validate-groupid
29    match:
30      resources:
31        kinds:
32        - Pod
33    validate:
34      message: "Group ID should be 3000."
35      pattern:
36        spec:
37          securityContext:
38            runAsGroup: '3000'
39  - name: validate-fsgroup
40    match:
41      resources:
42        kinds:
43        - Pod
44    validate:
45      message: "fsgroup should be 2000."
46      pattern:
47        spec:
48          securityContext:
49            fsGroup: '2000'

Create policy issue