All Policies

Restrict Seccomp (Strict) in CEL

The seccomp profile in the Restricted group must not be explicitly set to Unconfined but additionally must also not allow an unset value. This policy, requiring Kubernetes v1.19 or later, ensures that seccomp is set to `RuntimeDefault` or `Localhost`. A known issue prevents a policy such as this using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2.

Policy Definition

/pod-security-cel/restricted/restrict-seccomp-strict/restrict-seccomp-strict.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: restrict-seccomp-strict
 5  annotations:
 6    policies.kyverno.io/title: Restrict Seccomp (Strict) in CEL
 7    policies.kyverno.io/category: Pod Security Standards (Restricted) in CEL
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Pod
10    policies.kyverno.io/minversion: 1.11.0
11    kyverno.io/kyverno-version: 1.11.0
12    kyverno.io/kubernetes-version: "1.26-1.27"
13    policies.kyverno.io/description: >-
14      The seccomp profile in the Restricted group must not be explicitly set to Unconfined
15      but additionally must also not allow an unset value. This policy, 
16      requiring Kubernetes v1.19 or later, ensures that seccomp is 
17      set to `RuntimeDefault` or `Localhost`. A known issue prevents a policy such as this
18      using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2.
19spec:
20  background: true
21  validationFailureAction: Audit
22  rules:
23    - name: check-seccomp-strict
24      match:
25        any:
26        - resources:
27            kinds:
28              - Pod
29            operations:
30            - CREATE
31            - UPDATE
32      validate:
33        cel:
34          expressions:
35            - expression: >- 
36                !has(object.spec.securityContext) ||
37                !has(object.spec.securityContext.seccompProfile) ||
38                !has(object.spec.securityContext.seccompProfile.type) ||
39                object.spec.securityContext.seccompProfile.type == 'RuntimeDefault' ||
40                object.spec.securityContext.seccompProfile.type == 'Localhost'
41              message: >-
42                Use of custom Seccomp profiles is disallowed. The field
43                spec.securityContext.seccompProfile.type must be set to `RuntimeDefault` or `Localhost`.
44      
45            - expression: >- 
46                object.spec.containers.all(container, !has(container.securityContext) ||
47                !has(container.securityContext.seccompProfile) ||
48                !has(container.securityContext.seccompProfile.type) ||
49                container.securityContext.seccompProfile.type == 'RuntimeDefault' ||
50                container.securityContext.seccompProfile.type == 'Localhost')
51              message: >-
52                Use of custom Seccomp profiles is disallowed. The field
53                spec.containers[*].securityContext.seccompProfile.type must be set to `RuntimeDefault` or `Localhost`.
54              
55            - expression: >- 
56                !has(object.spec.initContainers) ||
57                object.spec.initContainers.all(container, !has(container.securityContext) ||
58                !has(container.securityContext.seccompProfile) ||
59                !has(container.securityContext.seccompProfile.type) ||
60                container.securityContext.seccompProfile.type == 'RuntimeDefault' ||
61                container.securityContext.seccompProfile.type == 'Localhost')
62              message: >-
63                Use of custom Seccomp profiles is disallowed. The field
64                spec.initContainers[*].securityContext.seccompProfile.type must be set to `RuntimeDefault` or `Localhost`.
65
66            - expression: >- 
67                !has(object.spec.ephemeralContainers) ||
68                object.spec.ephemeralContainers.all(container, !has(container.securityContext) ||
69                !has(container.securityContext.seccompProfile) ||
70                !has(container.securityContext.seccompProfile.type) ||
71                container.securityContext.seccompProfile.type == 'RuntimeDefault' ||
72                container.securityContext.seccompProfile.type == 'Localhost')
73              message: >-
74                Use of custom Seccomp profiles is disallowed. The field
75                spec.ephemeralContainers[*].securityContext.seccompProfile.type must be set to `RuntimeDefault` or `Localhost`.