All Policies
Restrict Seccomp
The seccomp profile must not be explicitly set to Unconfined. This policy, requiring Kubernetes v1.19 or later, ensures that seccomp is unset or set to `RuntimeDefault` or `Localhost`.
Policy Definition
/pod-security/baseline/restrict-seccomp/restrict-seccomp.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: restrict-seccomp
5 annotations:
6 policies.kyverno.io/title: Restrict Seccomp
7 policies.kyverno.io/category: Pod Security Standards (Baseline)
8 policies.kyverno.io/severity: medium
9 policies.kyverno.io/subject: Pod
10 kyverno.io/kyverno-version: 1.6.0
11 kyverno.io/kubernetes-version: "1.22-1.23"
12 policies.kyverno.io/description: >-
13 The seccomp profile must not be explicitly set to Unconfined. This policy,
14 requiring Kubernetes v1.19 or later, ensures that seccomp is unset or
15 set to `RuntimeDefault` or `Localhost`.
16spec:
17 background: true
18 validationFailureAction: audit
19 rules:
20 - name: check-seccomp
21 match:
22 any:
23 - resources:
24 kinds:
25 - Pod
26 validate:
27 message: >-
28 Use of custom Seccomp profiles is disallowed. The fields
29 spec.securityContext.seccompProfile.type,
30 spec.containers[*].securityContext.seccompProfile.type,
31 spec.initContainers[*].securityContext.seccompProfile.type, and
32 spec.ephemeralContainers[*].securityContext.seccompProfile.type
33 must be unset or set to `RuntimeDefault` or `Localhost`.
34 pattern:
35 spec:
36 =(securityContext):
37 =(seccompProfile):
38 =(type): "RuntimeDefault | Localhost"
39 =(ephemeralContainers):
40 - =(securityContext):
41 =(seccompProfile):
42 =(type): "RuntimeDefault | Localhost"
43 =(initContainers):
44 - =(securityContext):
45 =(seccompProfile):
46 =(type): "RuntimeDefault | Localhost"
47 containers:
48 - =(securityContext):
49 =(seccompProfile):
50 =(type): "RuntimeDefault | Localhost"