The seccomp profile in the Restricted group must not be explicitly set to Unconfined but additionally must also not allow an unset value. This policy, requiring Kubernetes v1.19 or later, ensures that seccomp is set to `RuntimeDefault` or `Localhost`. A known issue prevents a policy such as this using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2.
apiVersion: kyverno.io/v1kind: ClusterPolicymetadata:name: restrict-seccomp-strictannotations:policies.kyverno.io/title: Restrict Seccomp (Strict) in CELpolicies.kyverno.io/category: Pod Security Standards (Restricted) in CELpolicies.kyverno.io/severity: mediumpolicies.kyverno.io/subject: Podpolicies.kyverno.io/minversion: 1.11.0kyverno.io/kyverno-version: 1.11.0kyverno.io/kubernetes-version: 1.26-1.27policies.kyverno.io/description: The seccomp profile in the Restricted group must not be explicitly set to Unconfined but additionally must also not allow an unset value. This policy, requiring Kubernetes v1.19 or later, ensures that seccomp is set to `RuntimeDefault` or `Localhost`. A known issue prevents a policy such as this using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2.spec:background: truevalidationFailureAction: Auditrules:- name: check-seccomp-strictmatch:any:- resources:kinds:- Podoperations:- CREATE- UPDATEvalidate:cel:expressions:- expression: "!object.spec.?securityContext.?seccompProfile.?type.hasValue() || object.spec.securityContext.seccompProfile.type == 'RuntimeDefault' || object.spec.securityContext.seccompProfile.type == 'Localhost'"message: Use of custom Seccomp profiles is disallowed. The field spec.securityContext.seccompProfile.type must be set to `RuntimeDefault` or `Localhost`.- expression: |-object.spec.containers.all(container,!container.?securityContext.?seccompProfile.?type.hasValue() ||container.securityContext.seccompProfile.type == 'RuntimeDefault' ||container.securityContext.seccompProfile.type == 'Localhost')message: Use of custom Seccomp profiles is disallowed. The field spec.containers[*].securityContext.seccompProfile.type must be set to `RuntimeDefault` or `Localhost`.- expression: |-object.spec.?initContainers.orValue([]).all(container,!container.?securityContext.?seccompProfile.?type.hasValue() ||container.securityContext.seccompProfile.type == 'RuntimeDefault' ||container.securityContext.seccompProfile.type == 'Localhost')message: Use of custom Seccomp profiles is disallowed. The field spec.initContainers[*].securityContext.seccompProfile.type must be set to `RuntimeDefault` or `Localhost`.- expression: |-object.spec.?ephemeralContainers.orValue([]).all(container,!container.?securityContext.?seccompProfile.?type.hasValue() ||container.securityContext.seccompProfile.type == 'RuntimeDefault' ||container.securityContext.seccompProfile.type == 'Localhost')message: Use of custom Seccomp profiles is disallowed. The field spec.ephemeralContainers[*].securityContext.seccompProfile.type must be set to `RuntimeDefault` or `Localhost`.
This policy prevents the use of the default project in an Application.
Services of type LoadBalancer when deployed inside AWS have support for transport encryption if it is enabled via an annotation. This policy requires that Services of type LoadBalancer contain the annotation service.beta.kubernetes.io/aws-load-balancer-ssl-cert with some value.
This policy prevents updates to the project field after an Application is created.