Kyverno Starter Policy Pack (Preview)

Oct 14, 2025

Included policies (files in ZIP)

deny-privileged.yaml — No privileged containers
require-safe-defaults.yaml — runAsNonRoot, readOnlyRootFilesystem, seccomp=RuntimeDefault, drop ALL caps
require-probes.yaml — liveness & readiness probes
verify-image-signatures.yaml — require Cosign signature (set your pubkey)
allow-org-registry.yaml — restrict images to org/prefix (optional)

deny-privileged.yaml

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: deny-privileged
spec:
  validationFailureAction: enforce
  rules:
  - name: disallow-privileged
    match:
      any:
      - resources:
          kinds: ["Pod","Deployment","StatefulSet","DaemonSet","Job","CronJob"]
    validate:
      message: "Privileged containers are not allowed."
      pattern:
        spec:
          containers:
          - name: "*"
            securityContext:
              privileged: "false"

require-safe-defaults.yaml

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-safe-defaults
spec:
  validationFailureAction: enforce
  rules:
  - name: enforce-security-context
    match:
      any:
      - resources:
          kinds: ["Pod","Deployment","StatefulSet","DaemonSet","Job","CronJob"]
    validate:
      message: "Use runAsNonRoot, readOnlyRootFilesystem, seccomp=RuntimeDefault, and drop ALL capabilities."
      pattern:
        spec:
          securityContext:
            seccompProfile:
              type: RuntimeDefault
          containers:
          - name: "*"
            securityContext:
              runAsNonRoot: true
              readOnlyRootFilesystem: true
              capabilities:
                drop:
                - ALL

require-probes.yaml

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-probes
spec:
  validationFailureAction: enforce
  rules:
  - name: require-probes
    match:
      any:
      - resources:
          kinds: ["Deployment","StatefulSet","DaemonSet","Job","CronJob"]
    validate:
      message: "Liveness and readiness probes are required."
      pattern:
        spec:
          template:
            spec:
              containers:
              - name: "*"
                livenessProbe: {}
                readinessProbe: {}

verify-image-signatures.yaml

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: verify-image-signatures
spec:
  validationFailureAction: enforce
  rules:
  - name: require-cosign
    match:
      any:
      - resources:
          kinds: ["Pod","Deployment","StatefulSet","DaemonSet","Job","CronJob"]
    verifyImages:
    - imageReferences: ["*"]  # set to your org/prefix for stricter scope
      attestors:
      - entries:
        - keys:
            publicKeys: |
              -----BEGIN PUBLIC KEY-----
              (paste your cosign.pub here)
              -----END PUBLIC KEY-----

allow-org-registry.yaml

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: allow-org-registry
spec:
  validationFailureAction: enforce
  rules:
  - name: only-org-images
    match:
      any:
      - resources:
          kinds: ["Pod","Deployment","Job","CronJob","StatefulSet","DaemonSet"]
    validate:
      message: "Image must come from your org registry."
      pattern:
        spec:
          containers:
          - name: "*"
            image: "localhost:5000/ship-securely/*"   # adjust for your org

Apply with: kubectl apply -f policies/ then test a known-bad manifest to confirm denies.

Kyverno Starter Policy Pack (Preview)

Included policies (files in ZIP)

deny-privileged.yaml

require-safe-defaults.yaml

require-probes.yaml

verify-image-signatures.yaml

allow-org-registry.yaml

Ask AppSec: free security newsletter

Ask AppSec: free security newsletter