All Policies

Restrict Seccomp in ValidatingPolicy

The seccomp profile must not be explicitly set to Unconfined. This policy, requiring Kubernetes v1.30 or later, ensures that seccomp is unset or set to `RuntimeDefault` or `Localhost`.

Policy Definition

/pod-security-vpol/baseline/restrict-seccomp/restrict-seccomp.yaml

 1apiVersion: policies.kyverno.io/v1alpha1
 2kind: ValidatingPolicy
 3metadata:
 4  name: restrict-seccomp
 5  annotations:
 6    policies.kyverno.io/title: Restrict Seccomp in ValidatingPolicy
 7    policies.kyverno.io/category: Pod Security Standards (Baseline) in ValidatingPolicy
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Pod
10    policies.kyverno.io/minversion: 1.14.0
11    kyverno.io/kyverno-version: 1.14.0
12    kyverno.io/kubernetes-version: "1.30+"
13    policies.kyverno.io/description: >-
14      The seccomp profile must not be explicitly set to Unconfined. This policy, 
15      requiring Kubernetes v1.30 or later, ensures that seccomp is unset or 
16      set to `RuntimeDefault` or `Localhost`.
17spec:
18  validationActions:
19     - Audit
20  evaluation:
21    background:
22      enabled: true
23  matchConstraints:
24    resourceRules:
25      - apiGroups:   [""]
26        apiVersions: ["v1"]
27        operations:  ["CREATE", "UPDATE"]
28        resources:   ["pods"]
29  variables:
30  - name: allContainers
31    expression: >-
32      object.spec.containers + 
33      object.spec.?initContainers.orValue([]) + 
34      object.spec.?ephemeralContainers.orValue([])
35
36  - name: allowedProfileTypes
37    expression: "['RuntimeDefault', 'Localhost']"
38
39  - name: hasValidSeccompProfile
40    expression: >-
41      object.spec.?securityContext.?seccompProfile.?type.orValue('Localhost') in variables.allowedProfileTypes
42
43  validations:
44  - expression: >-
45      variables.hasValidSeccompProfile &&
46      variables.allContainers.all(container, 
47        container.?securityContext.?seccompProfile.?type.orValue('Localhost') in variables.allowedProfileTypes)
48    message: >-
49      Use of custom Seccomp profiles is disallowed. The field 
50      `securityContext.seccompProfile.type` must be unset or set to `RuntimeDefault` or `Localhost`.
Create policy issue