Solutions
Audit & Optimization Platform Design Automation Team Structure
Documentation Blog
Get Started

Policy Patterns

Common policy patterns provide reusable templates for enforcing security and compliance standards. These patterns address the most common security requirements in Kubernetes.

Security Patterns

Non-Root Containers

Require all containers to run as non-root:

Kyverno:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-non-root
spec:
  validationFailureAction: enforce
  rules:
  - name: check-non-root
    match:
      resources:
        kinds: ["Pod"]
    validate:
      message: "Containers must run as non-root"
      pattern:
        spec:
          securityContext:
            runAsNonRoot: true

Resource Limits

Require resource limits on all containers:

Kyverno:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-resource-limits
spec:
  validationFailureAction: enforce
  rules:
  - name: check-limits
    match:
      resources:
        kinds: ["Pod"]
    validate:
      message: "All containers must have resource limits"
      pattern:
        spec:
          containers:
          - name: "*"
            resources:
              limits:
                memory: "?*"
                cpu: "?*"

Block Privileged Containers

Prevent privileged containers:

Kyverno:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: block-privileged
spec:
  validationFailureAction: enforce
  rules:
  - name: check-privileged
    match:
      resources:
        kinds: ["Pod"]
    validate:
      message: "Privileged containers are not allowed"
      deny:
        conditions:
        - key: "{{ request.object.spec.containers[?contains(@.securityContext.privileged, `true`)] }}"
          operator: AnyIn
          value: ["true"]

Compliance Patterns

Required Labels

Enforce required labels:

Kyverno:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-labels
spec:
  validationFailureAction: enforce
  rules:
  - name: check-labels
    match:
      resources:
        kinds: ["Deployment", "Service"]
    validate:
      message: "Resources must have 'team' and 'environment' labels"
      pattern:
        metadata:
          labels:
            team: "?*"
            environment: "?*"

Naming Conventions

Enforce naming conventions:

Kyverno:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: enforce-naming
spec:
  validationFailureAction: enforce
  rules:
  - name: check-naming
    match:
      resources:
        kinds: ["Namespace"]
    validate:
      message: "Namespace names must start with 'prod-' or 'dev-'"
      pattern:
        metadata:
          name: "prod-* | dev-*"

Best Practice Patterns

Health Checks

Require health checks:

Kyverno:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-health-checks
spec:
  validationFailureAction: enforce
  rules:
  - name: check-health-checks
    match:
      resources:
        kinds: ["Deployment"]
    validate:
      message: "Deployments must have liveness and readiness probes"
      pattern:
        spec:
          template:
            spec:
              containers:
              - name: "*"
                livenessProbe: "?*"
                readinessProbe: "?*"

Image Pull Policy

Enforce image pull policies:

Kyverno:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-image-pull-policy
spec:
  validationFailureAction: enforce
  rules:
  - name: check-pull-policy
    match:
      resources:
        kinds: ["Pod"]
    validate:
      message: "Containers must use 'Always' or 'IfNotPresent' image pull policy"
      pattern:
        spec:
          containers:
          - name: "*"
            imagePullPolicy: "Always | IfNotPresent"

Mutation Patterns

Add Default Resources

Automatically add resource limits:

Kyverno:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: add-default-resources
spec:
  rules:
  - name: add-resources
    match:
      resources:
        kinds: ["Pod"]
    mutate:
      patchStrategicMerge:
        spec:
          containers:
          - (name): "*"
            resources:
              limits:
                memory: "512Mi"
                cpu: "500m"
              requests:
                memory: "256Mi"
                cpu: "250m"

Add Security Context

Automatically add security context:

Kyverno:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: add-security-context
spec:
  rules:
  - name: add-context
    match:
      resources:
        kinds: ["Pod"]
    mutate:
      patchStrategicMerge:
        spec:
          securityContext:
            runAsNonRoot: true
            runAsUser: 1000
          containers:
          - (name): "*"
            securityContext:
              allowPrivilegeEscalation: false
              capabilities:
                drop:
                - ALL

Best Practices

  1. Start with validation - Enforce rules before adding mutations
  2. Use audit mode first - Test policies before enforcing
  3. Combine patterns - Use multiple policies for defense in depth
  4. Document exceptions - Explain why certain resources are exempt
  5. Version control - Store policies in Git
  6. Regular reviews - Update policies as requirements change

See Also