Filter
Restrict Seccomp
The runtime default seccomp profile must be required, or only specific additional profiles should be allowed. This policy ensures that only the `runtime/default` is used as a `type`.
Policy Definition
/pod-security/restricted/restrict-seccomp/restrict-seccomp.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: restrict-seccomp
5 annotations:
6 policies.kyverno.io/title: Restrict Seccomp
7 policies.kyverno.io/category: Pod Security Standards (Restricted)
8 policies.kyverno.io/severity: medium
9 policies.kyverno.io/subject: Pod
10 policies.kyverno.io/description: >-
11 The runtime default seccomp profile must be required, or only specific
12 additional profiles should be allowed. This policy ensures that only the
13 `runtime/default` is used as a `type`.
14spec:
15 background: true
16 validationFailureAction: audit
17 rules:
18 - name: seccomp
19 match:
20 resources:
21 kinds:
22 - Pod
23 validate:
24 message: >-
25 Use of custom Seccomp profiles is disallowed. The fields
26 spec.securityContext.seccompProfile.type,
27 spec.containers[*].securityContext.seccompProfile.type, and
28 spec.initContainers[*].securityContext.seccompProfile.type
29 must be unset or set to `runtime/default`.
30 pattern:
31 spec:
32 =(securityContext):
33 =(seccompProfile):
34 =(type): "runtime/default"
35 =(initContainers):
36 - =(securityContext):
37 =(seccompProfile):
38 =(type): "runtime/default"
39 containers:
40 - =(securityContext):
41 =(seccompProfile):
42 =(type): "runtime/default"
43