Back to Policies

Restrict Seccomp (Strict)

The seccomp profile in the Restricted group must not be explicitly set to Unconfined but additionally must also not allow an unset value. This policy, requiring Kubernetes v1.19 or later, ensures that seccomp is set to `RuntimeDefault` or `Localhost`. A known issue prevents a policy such as this using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2.

View on GitHub

Policy Definition 

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: restrict-seccomp-strict
  annotations:
    policies.kyverno.io/title: Restrict Seccomp (Strict)
    policies.kyverno.io/category: Pod Security Standards (Restricted)
    policies.kyverno.io/severity: medium
    policies.kyverno.io/subject: Pod
    kyverno.io/kyverno-version: 1.6.0
    kyverno.io/kubernetes-version: 1.22-1.23
    policies.kyverno.io/description: The seccomp profile in the Restricted group must not be explicitly set to Unconfined but additionally must also not allow an unset value. This policy,  requiring Kubernetes v1.19 or later, ensures that seccomp is  set to `RuntimeDefault` or `Localhost`. A known issue prevents a policy such as this using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2.
spec:
  background: true
  validationFailureAction: Audit
  rules:
    - name: check-seccomp-strict
      match:
        any:
          - resources:
              kinds:
                - Pod
      validate:
        message: Use of custom Seccomp profiles is disallowed. The fields spec.securityContext.seccompProfile.type, spec.containers[*].securityContext.seccompProfile.type, spec.initContainers[*].securityContext.seccompProfile.type, and spec.ephemeralContainers[*].securityContext.seccompProfile.type must be set to `RuntimeDefault` or `Localhost`.
        anyPattern:
          - spec:
              securityContext:
                seccompProfile:
                  type: RuntimeDefault | Localhost
              "=(ephemeralContainers)":
                - "=(securityContext)":
                    "=(seccompProfile)":
                      "=(type)": RuntimeDefault | Localhost
              "=(initContainers)":
                - "=(securityContext)":
                    "=(seccompProfile)":
                      "=(type)": RuntimeDefault | Localhost
              containers:
                - "=(securityContext)":
                    "=(seccompProfile)":
                      "=(type)": RuntimeDefault | Localhost
          - spec:
              "=(ephemeralContainers)":
                - securityContext:
                    seccompProfile:
                      type: RuntimeDefault | Localhost
              "=(initContainers)":
                - securityContext:
                    seccompProfile:
                      type: RuntimeDefault | Localhost
              containers:
                - securityContext:
                    seccompProfile:
                      type: RuntimeDefault | Localhost

Related Policies

ValidateMedium

Application Field Validation in CEL expressions

This policy performs some best practices validation on Application fields. Path or chart must be specified but never both. And destination.name or destination.server must be specified but never both.

Application
ValidateMedium

Prevent Use of Default Project in CEL expressions

This policy prevents the use of the default project in an Application.

Application
ValidateMedium

Prevent Updates to Project in CEL expressions

This policy prevents updates to the project field after an Application is created.

Application