All Policies

Restrict Seccomp (Strict)

The seccomp profile in the Restricted group must not be explicitly set to Unconfined but additionally must also not allow an unset value. This policy, requiring Kubernetes v1.19 or later, ensures that seccomp is set to `RuntimeDefault` or `Localhost`. A known issue prevents a policy such as this using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2.

Policy Definition

/pod-security/restricted/restrict-seccomp-strict/restrict-seccomp-strict.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: restrict-seccomp-strict
 5  annotations:
 6    policies.kyverno.io/title: Restrict Seccomp (Strict)
 7    policies.kyverno.io/category: Pod Security Standards (Restricted)
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Pod
10    kyverno.io/kyverno-version: 1.6.0
11    kyverno.io/kubernetes-version: "1.22-1.23"
12    policies.kyverno.io/description: >-
13      The seccomp profile in the Restricted group must not be explicitly set to Unconfined
14      but additionally must also not allow an unset value. This policy, 
15      requiring Kubernetes v1.19 or later, ensures that seccomp is 
16      set to `RuntimeDefault` or `Localhost`. A known issue prevents a policy such as this
17      using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2.      
18spec:
19  background: true
20  validationFailureAction: audit
21  rules:
22    - name: check-seccomp-strict
23      match:
24        any:
25        - resources:
26            kinds:
27              - Pod
28      validate:
29        message: >-
30          Use of custom Seccomp profiles is disallowed. The fields
31          spec.securityContext.seccompProfile.type,
32          spec.containers[*].securityContext.seccompProfile.type,
33          spec.initContainers[*].securityContext.seccompProfile.type, and
34          spec.ephemeralContainers[*].securityContext.seccompProfile.type
35          must be set to `RuntimeDefault` or `Localhost`.          
36        anyPattern:
37        - spec:
38            securityContext:
39              seccompProfile:
40                type: "RuntimeDefault | Localhost"
41            =(ephemeralContainers):
42            - =(securityContext):
43                =(seccompProfile):
44                  =(type): "RuntimeDefault | Localhost"
45            =(initContainers):
46            - =(securityContext):
47                =(seccompProfile):
48                  =(type): "RuntimeDefault | Localhost"
49            containers:
50            - =(securityContext):
51                =(seccompProfile):
52                  =(type): "RuntimeDefault | Localhost"
53        - spec:
54            =(ephemeralContainers):
55            - securityContext:
56                seccompProfile:
57                  type: "RuntimeDefault | Localhost"
58            =(initContainers):
59            - securityContext:
60                seccompProfile:
61                  type: "RuntimeDefault | Localhost"
62            containers:
63            - securityContext:
64                seccompProfile:
65                  type: "RuntimeDefault | Localhost"
Create policy issue