All Policies
Restrict Seccomp (Strict)
The seccomp profile in the Restricted group must not be explicitly set to Unconfined but additionally must also not allow an unset value. This policy, requiring Kubernetes v1.19 or later, ensures that seccomp is set to `RuntimeDefault` or `Localhost`. A known issue prevents a policy such as this using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2.
Policy Definition
/pod-security/restricted/restrict-seccomp-strict/restrict-seccomp-strict.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: restrict-seccomp-strict
5 annotations:
6 policies.kyverno.io/title: Restrict Seccomp (Strict)
7 policies.kyverno.io/category: Pod Security Standards (Restricted)
8 policies.kyverno.io/severity: medium
9 policies.kyverno.io/subject: Pod
10 kyverno.io/kyverno-version: 1.6.0
11 kyverno.io/kubernetes-version: "1.22-1.23"
12 policies.kyverno.io/description: >-
13 The seccomp profile in the Restricted group must not be explicitly set to Unconfined
14 but additionally must also not allow an unset value. This policy,
15 requiring Kubernetes v1.19 or later, ensures that seccomp is
16 set to `RuntimeDefault` or `Localhost`. A known issue prevents a policy such as this
17 using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2.
18spec:
19 background: true
20 validationFailureAction: audit
21 rules:
22 - name: check-seccomp-strict
23 match:
24 any:
25 - resources:
26 kinds:
27 - Pod
28 validate:
29 message: >-
30 Use of custom Seccomp profiles is disallowed. The fields
31 spec.securityContext.seccompProfile.type,
32 spec.containers[*].securityContext.seccompProfile.type,
33 spec.initContainers[*].securityContext.seccompProfile.type, and
34 spec.ephemeralContainers[*].securityContext.seccompProfile.type
35 must be set to `RuntimeDefault` or `Localhost`.
36 anyPattern:
37 - spec:
38 securityContext:
39 seccompProfile:
40 type: "RuntimeDefault | Localhost"
41 =(ephemeralContainers):
42 - =(securityContext):
43 =(seccompProfile):
44 =(type): "RuntimeDefault | Localhost"
45 =(initContainers):
46 - =(securityContext):
47 =(seccompProfile):
48 =(type): "RuntimeDefault | Localhost"
49 containers:
50 - =(securityContext):
51 =(seccompProfile):
52 =(type): "RuntimeDefault | Localhost"
53 - spec:
54 =(ephemeralContainers):
55 - securityContext:
56 seccompProfile:
57 type: "RuntimeDefault | Localhost"
58 =(initContainers):
59 - securityContext:
60 seccompProfile:
61 type: "RuntimeDefault | Localhost"
62 containers:
63 - securityContext:
64 seccompProfile:
65 type: "RuntimeDefault | Localhost"