Apply PSS Restricted Profile

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: apply-pss-restricted-profile
 5  annotations:
 6    policies.kyverno.io/title: Apply PSS Restricted Profile
 7    policies.kyverno.io/category: Other, PSP Migration
 8    kyverno.io/kyverno-version: 1.6.2
 9    kyverno.io/kubernetes-version: "1.23"
10    policies.kyverno.io/subject: Pod
11    policies.kyverno.io/description: >-
12      Pod Security Standards define the fields and their options which
13      are allowable for Pods to achieve certain security best practices. While
14      these are typically validation policies, workloads will either be accepted or
15      rejected based upon what has already been defined. It is also possible to mutate
16      incoming Pods to achieve the desired PSS level rather than reject. This policy
17      sets all the fields necessary to pass the PSS Restricted profile. Note that it does
18      not attempt to remove non-compliant volumes and volumeMounts. Additional policies
19      may be employed for this purpose.
20spec:
21  rules:
22  - name: add-pss-fields
23    match:
24      any:
25      - resources:
26          kinds:
27          - Pod
28    mutate:
29      patchStrategicMerge:
30        spec:
31          securityContext:
32            seccompProfile:
33              type: RuntimeDefault
34            runAsNonRoot: true
35            runAsUser: 1000
36            runAsGroup: 3000
37            fsGroup: 2000
38          containers:
39          - (name): "?*"
40            securityContext:
41              privileged: false
42              capabilities:
43                drop: 
44                - ALL
45              allowPrivilegeEscalation: false