apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: add-default-security-context
  annotations:
    policies.kyverno.io/title: "Дефолтный SecurityContext"
    policies.kyverno.io/category: Security
    policies.kyverno.io/severity: medium
    policies.kyverno.io/subject: Pod
    policies.kyverno.io/description: >-
      Автоматически применяет безопасный SecurityContext к подам и контейнерам,
      если поля не заданы явно. Работает в связке с validation политиками
      (сначала mutate, потом validate).
spec:
  rules:
  - name: add-pod-security-context
    match:
      resources:
        kinds:
        - Pod
    exclude:
      resources:
        namespaces:
        - kube-system
    mutate:
      patchStrategicMerge:
        spec:
          +(securityContext):
            +(runAsNonRoot): true
            +(runAsUser): 1000
            +(seccompProfile):
              +(type): RuntimeDefault

  - name: add-container-security-context
    match:
      resources:
        kinds:
        - Pod
    exclude:
      resources:
        namespaces:
        - kube-system
    mutate:
      foreach:
      - list: "request.object.spec.containers"
        patchStrategicMerge:
          spec:
            containers:
            - name: "{{ element.name }}"
              +(securityContext):
                +(allowPrivilegeEscalation): false
                +(readOnlyRootFilesystem): true
                +(capabilities):
                  +(drop):
                  - ALL