All Policies
Restrict Seccomp (Strict) in CEL
The seccomp profile in the Restricted group must not be explicitly set to Unconfined but additionally must also not allow an unset value. This policy, requiring Kubernetes v1.19 or later, ensures that seccomp is set to `RuntimeDefault` or `Localhost`. A known issue prevents a policy such as this using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2.
Policy Definition
/pod-security-cel/restricted/restrict-seccomp-strict/restrict-seccomp-strict.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: restrict-seccomp-strict
5 annotations:
6 policies.kyverno.io/title: Restrict Seccomp (Strict) in CEL
7 policies.kyverno.io/category: Pod Security Standards (Restricted) in CEL
8 policies.kyverno.io/severity: medium
9 policies.kyverno.io/subject: Pod
10 policies.kyverno.io/minversion: 1.11.0
11 kyverno.io/kyverno-version: 1.11.0
12 kyverno.io/kubernetes-version: "1.26-1.27"
13 policies.kyverno.io/description: >-
14 The seccomp profile in the Restricted group must not be explicitly set to Unconfined
15 but additionally must also not allow an unset value. This policy,
16 requiring Kubernetes v1.19 or later, ensures that seccomp is
17 set to `RuntimeDefault` or `Localhost`. A known issue prevents a policy such as this
18 using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2.
19spec:
20 background: true
21 validationFailureAction: Audit
22 rules:
23 - name: check-seccomp-strict
24 match:
25 any:
26 - resources:
27 kinds:
28 - Pod
29 operations:
30 - CREATE
31 - UPDATE
32 validate:
33 cel:
34 expressions:
35 - expression: >-
36 !has(object.spec.securityContext) ||
37 !has(object.spec.securityContext.seccompProfile) ||
38 !has(object.spec.securityContext.seccompProfile.type) ||
39 object.spec.securityContext.seccompProfile.type == 'RuntimeDefault' ||
40 object.spec.securityContext.seccompProfile.type == 'Localhost'
41 message: >-
42 Use of custom Seccomp profiles is disallowed. The field
43 spec.securityContext.seccompProfile.type must be set to `RuntimeDefault` or `Localhost`.
44
45 - expression: >-
46 object.spec.containers.all(container, !has(container.securityContext) ||
47 !has(container.securityContext.seccompProfile) ||
48 !has(container.securityContext.seccompProfile.type) ||
49 container.securityContext.seccompProfile.type == 'RuntimeDefault' ||
50 container.securityContext.seccompProfile.type == 'Localhost')
51 message: >-
52 Use of custom Seccomp profiles is disallowed. The field
53 spec.containers[*].securityContext.seccompProfile.type must be set to `RuntimeDefault` or `Localhost`.
54
55 - expression: >-
56 !has(object.spec.initContainers) ||
57 object.spec.initContainers.all(container, !has(container.securityContext) ||
58 !has(container.securityContext.seccompProfile) ||
59 !has(container.securityContext.seccompProfile.type) ||
60 container.securityContext.seccompProfile.type == 'RuntimeDefault' ||
61 container.securityContext.seccompProfile.type == 'Localhost')
62 message: >-
63 Use of custom Seccomp profiles is disallowed. The field
64 spec.initContainers[*].securityContext.seccompProfile.type must be set to `RuntimeDefault` or `Localhost`.
65
66 - expression: >-
67 !has(object.spec.ephemeralContainers) ||
68 object.spec.ephemeralContainers.all(container, !has(container.securityContext) ||
69 !has(container.securityContext.seccompProfile) ||
70 !has(container.securityContext.seccompProfile.type) ||
71 container.securityContext.seccompProfile.type == 'RuntimeDefault' ||
72 container.securityContext.seccompProfile.type == 'Localhost')
73 message: >-
74 Use of custom Seccomp profiles is disallowed. The field
75 spec.ephemeralContainers[*].securityContext.seccompProfile.type must be set to `RuntimeDefault` or `Localhost`.