Mandatory Security Context for All Pods

Intermediate

Every pod must define a securityContext with non-root user, dropped capabilities, read-only root filesystem, and no privilege escalation to meet the Restricted Pod Security Standard.

File Patterns

**/*.yaml**/*.yml**/k8s/****/kubernetes/****/manifests/****/helm/**

This rule applies to files matching the patterns above.

Rule Content

rule-content.md

# Mandatory Security Context for All Pods

## Rule
Every pod MUST define a securityContext that meets the Restricted Pod Security Standard. No exceptions for application workloads.

## Required Security Context
```yaml
spec:
  securityContext:
    runAsNonRoot: true
    seccompProfile:
      type: RuntimeDefault
  containers:
    - name: app
      securityContext:
        allowPrivilegeEscalation: false
        readOnlyRootFilesystem: true
        runAsNonRoot: true
        runAsUser: 1001
        capabilities:
          drop: ["ALL"]
```

## Good Examples
```yaml
# Complete secure pod spec
apiVersion: v1
kind: Pod
metadata:
  name: secure-api
spec:
  securityContext:
    runAsNonRoot: true
    runAsUser: 1001
    runAsGroup: 1001
    fsGroup: 1001
    seccompProfile:
      type: RuntimeDefault
  containers:
    - name: api
      image: myapi:2.0.0
      securityContext:
        allowPrivilegeEscalation: false
        readOnlyRootFilesystem: true
        capabilities:
          drop: ["ALL"]
      volumeMounts:
        - name: tmp
          mountPath: /tmp
  volumes:
    - name: tmp
      emptyDir: {}
```

## Bad Examples
```yaml
# BAD: No securityContext at all
spec:
  containers:
    - name: app
      image: myapp:1.0

# BAD: Running as root
spec:
  securityContext:
    runAsUser: 0

# BAD: Privileged container
spec:
  containers:
    - name: app
      securityContext:
        privileged: true

# BAD: Allowing privilege escalation
spec:
  containers:
    - name: app
      securityContext:
        allowPrivilegeEscalation: true
```

## Handling Read-Only Root Filesystem
```yaml
# If your app needs to write to /tmp or /var/cache:
volumes:
  - name: tmp
    emptyDir: {}
  - name: cache
    emptyDir: {}
containers:
  - name: app
    securityContext:
      readOnlyRootFilesystem: true
    volumeMounts:
      - name: tmp
        mountPath: /tmp
      - name: cache
        mountPath: /var/cache
```

## Enforcement
- Enable Pod Security Admission with `enforce: restricted` on all app namespaces
- Use OPA Gatekeeper or Kyverno for custom policy enforcement
- CI validation with kubeconform + custom policies
- Regular audits with kubeaudit or Polaris

FAQ

Discussion

Loading comments...

# Mandatory Security Context for All Pods ## Rule Every pod MUST define a securityContext that meets the Restricted Pod Security Standard. No exceptions for application workloads. ## Required Security Context ```yaml spec: securityContext: runAsNonRoot: true seccompProfile: type: RuntimeDefault containers: - name: app securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 1001 capabilities: drop: ["ALL"] ``` ## Good Examples ```yaml # Complete secure pod spec apiVersion: v1 kind: Pod metadata: name: secure-api spec: securityContext: runAsNonRoot: true runAsUser: 1001 runAsGroup: 1001 fsGroup: 1001 seccompProfile: type: RuntimeDefault containers: - name: api image: myapi:2.0.0 securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true capabilities: drop: ["ALL"] volumeMounts: - name: tmp mountPath: /tmp volumes: - name: tmp emptyDir: {} ``` ## Bad Examples ```yaml # BAD: No securityContext at all spec: containers: - name: app image: myapp:1.0 # BAD: Running as root spec: securityContext: runAsUser: 0 # BAD: Privileged container spec: containers: - name: app securityContext: privileged: true # BAD: Allowing privilege escalation spec: containers: - name: app securityContext: allowPrivilegeEscalation: true ``` ## Handling Read-Only Root Filesystem ```yaml # If your app needs to write to /tmp or /var/cache: volumes: - name: tmp emptyDir: {} - name: cache emptyDir: {} containers: - name: app securityContext: readOnlyRootFilesystem: true volumeMounts: - name: tmp mountPath: /tmp - name: cache mountPath: /var/cache ``` ## Enforcement - Enable Pod Security Admission with `enforce: restricted` on all app namespaces - Use OPA Gatekeeper or Kyverno for custom policy enforcement - CI validation with kubeconform + custom policies - Regular audits with kubeaudit or Polaris