Validate User Instruction


Ensuring the presence and proper configuration of the USER instruction in a Dockerfile is essential for enhancing the security posture of containerized applications. This policy aims to validate whether the USER instruction is appropriately defined to promote secure container execution practices. If the USER instruction is not present, the policy fails.

Kyverno policy

Refer to the Nirmata curated policies - validate-user-instruction.

Resource example

Below is an example of a Dockerfile enforcing this policy.

FROM ubuntu:latest

USER  me

CMD ["nginx", "-g", "daemon off;"]