All Policies

Restrict Seccomp

The runtime default seccomp profile must be required, or only specific additional profiles should be allowed. This policy, requiring Kubernetes v1.19 or later, ensures that only the `RuntimeDefault` or `Localhost` is used as a `type` and that it is not unset.

Policy Definition

/pod-security/restricted/restrict-seccomp/restrict-seccomp.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: restrict-seccomp
 5  annotations:
 6    policies.kyverno.io/title: Restrict Seccomp
 7    policies.kyverno.io/category: Pod Security Standards (Restricted)
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Pod
10    policies.kyverno.io/description: >-
11      The runtime default seccomp profile must be required, or only specific
12      additional profiles should be allowed. This policy, requiring Kubernetes
13      v1.19 or later, ensures that only the `RuntimeDefault` or `Localhost` is
14      used as a `type` and that it is not unset.      
15spec:
16  background: true
17  validationFailureAction: enforce
18  rules:
19  - name: restrict-seccomp
20    match:
21      resources:
22        kinds:
23        - Pod
24    validate:
25      message: >-
26        Use of custom Seccomp profiles is disallowed. The fields
27        spec.securityContext.seccompProfile.type,
28        spec.containers[*].securityContext.seccompProfile.type, and
29        spec.initContainers[*].securityContext.seccompProfile.type
30        must be set to `RuntimeDefault` or `Localhost`.        
31      anyPattern:
32      - spec:
33          securityContext:
34            seccompProfile:
35              type: "RuntimeDefault | Localhost"
36      - spec:
37          containers:
38          - securityContext:
39              seccompProfile:
40                type: "RuntimeDefault | Localhost"
41  - name: restrict-seccomp-initcontainers
42    match:
43      resources:
44        kinds:
45        - Pod
46    validate:
47      message: >-
48        Use of custom Seccomp profiles is disallowed. The fields
49        spec.securityContext.seccompProfile.type,
50        spec.containers[*].securityContext.seccompProfile.type, and
51        spec.initContainers[*].securityContext.seccompProfile.type
52        must be set to `RuntimeDefault` or `Localhost`.        
53      anyPattern:
54      - spec:
55          securityContext:
56            seccompProfile:
57              type: "RuntimeDefault | Localhost"
58      - spec:
59          =(initContainers):
60          - securityContext:
61              seccompProfile:
62                type: "RuntimeDefault | Localhost"
63
Create policy issue