Kyverno Policy Bundle

Overview

This template provides a complete Kyverno policy bundle with 7 ClusterPolicies covering the most critical security controls: require resource limits (enforce), require run-as-non-root (enforce), require read-only root filesystem (audit), disallow host namespaces (enforce), require standard labels (audit), disallow privilege escalation (enforce), and a mutate policy that automatically injects default security contexts.

Security threat addressed: Without admission control, insecure workloads are deployed to production — containers running as root, without resource limits, with privilege escalation enabled, or sharing host namespaces. This bundle enforces security baselines at the admission gate.

When to use: Deploy as the first line of defense in every cluster. The bundle includes both enforce and audit policies, allowing gradual rollout.

Threat Model

• Comprehensive admission control: Seven policies cover pod security, resource management, container isolation, and operational standards.
• Validate + Mutate: Validation policies block non-compliant workloads; the mutate policy automatically adds security defaults as a safety net.
• Graduated enforcement: Critical controls (non-root, no privilege escalation) are set to enforce; others (read-only fs, labels) start in audit mode for gradual adoption.
• All container types: Policies validate regular containers, init containers, and ephemeral containers.

MITRE ATT&CK:

• T1611 — Escape to Host: Non-root, no-privilege-escalation, and no-host-namespaces policies prevent container escape.
• T1496 — Resource Hijacking: Resource limits requirement prevents unbounded consumption for cryptomining.
• T1059 — Command and Scripting Interpreter: Read-only filesystem prevents writing malicious scripts or tools.

Real-world scenario: A new team deploys their application without any security context configured. The mutate policy automatically injects runAsNonRoot: true and RuntimeDefault seccomp profile. If they try to deploy a privileged container, the validate policy blocks it with a clear error message explaining how to fix it.

YAML Source

# Policy 1: require-resource-limits (ENFORCE)
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-resource-limits
  labels:
    app.kubernetes.io/name: k8s-security
    app.kubernetes.io/part-of: k8s-security-pro
    app.kubernetes.io/managed-by: k8s-security-pro
  annotations:
    policies.kyverno.io/title: Require Resource Limits
    policies.kyverno.io/severity: high
spec:
  validationFailureAction: enforce
  background: true
  rules:
    - name: validate-resource-limits
      match:
        any:
          - resources:
              kinds: [Pod]
      validate:
        message: "All containers must specify CPU and memory limits."
        pattern:
          spec:
            containers:
              - resources:
                  limits:
                    memory: "?*"
                    cpu: "?*"
# ... truncated -- get all 7 policies (non-root, read-only fs, host namespaces,
# labels, privilege escalation, mutate defaults) at k8s-security.pro/pricing

Get the complete template with all 7 ClusterPolicies, init/ephemeral container coverage, the security context mutate policy, and kube-system exclusions in the Enterprise tier.

Installation

kubectl:

# Install Kyverno
helm install kyverno kyverno/kyverno -n kyverno --create-namespace

# Apply the policy bundle
kubectl apply -f 19_kyverno_policy_bundle.yaml

Helm:

helm install k8s-security ./charts/k8s-security -f values-prod.yaml

Kustomize:

kubectl apply -k kustomize/overlays/prod

Verification

# List all Kyverno policies
kubectl get clusterpolicy

# Check policy status and ready state
kubectl get clusterpolicy -o wide

# View policy reports (audit mode violations)
kubectl get policyreport -A
kubectl get clusterpolicyreport

# Test resource limits enforcement
kubectl run test --image=nginx --restart=Never
# Expected: blocked by require-resource-limits

# Test non-root enforcement
kubectl run test --image=nginx --restart=Never --overrides='{"spec":{"securityContext":{"runAsNonRoot":false},"containers":[{"name":"test","image":"nginx","resources":{"limits":{"cpu":"100m","memory":"128Mi"}}}]}}'
# Expected: blocked by require-run-as-nonroot

# Verify mutate policy is adding defaults
kubectl run test-mutate --image=nginx:1.25 --restart=Never --overrides='{"spec":{"containers":[{"name":"test","image":"nginx:1.25","resources":{"limits":{"cpu":"100m","memory":"128Mi"}}}]}}'
kubectl get pod test-mutate -o jsonpath='{.spec.securityContext}'
# Expected: runAsNonRoot: true, seccompProfile: RuntimeDefault

CIS Benchmark References

• 5.2.1 — Ensure admission control policies are in place. This Kyverno bundle provides comprehensive admission control.
• 5.2.2 — Minimize the admission of privileged containers. Policy 6 (disallow-privilege-escalation) enforces this.
• 5.2.4 — Minimize containers without readOnlyRootFilesystem. Policy 3 audits for this.
• 5.2.5 — Minimize containers with allowPrivilegeEscalation. Policy 6 enforces this.
• 5.2.6 — Minimize containers lacking resource limits. Policy 1 enforces this.
• 5.2.7 — Minimize the admission of root containers. Policy 2 enforces runAsNonRoot.
• 5.2.8 — Minimize containers with allowPrivilegeEscalation. Policy 6 blocks this.

MITRE ATT&CK References

• T1611 — Escape to Host: Policies 2 (non-root), 4 (no host namespaces), and 6 (no privilege escalation) block the primary container escape techniques.
• T1496 — Resource Hijacking: Policy 1 (resource limits) prevents unbounded CPU/memory consumption for cryptomining.
• T1059 — Command and Scripting Interpreter: Policy 3 (read-only root filesystem) prevents attackers from writing and executing scripts.

---

Further Reading

• Kubernetes CIS Benchmark and SOC2 Compliance: A Practical Guide — Map Kyverno policies to CIS Benchmark Section 5.2 controls and SOC2 CC6.3 authorization criteria.