All Policies

Restrict Seccomp in ValidatingPolicy

The seccomp profile must not be explicitly set to Unconfined. This policy, requiring Kubernetes v1.30 or later, ensures that seccomp is unset or set to `RuntimeDefault` or `Localhost`.

Policy Definition

/pod-security-vpol/baseline/restrict-seccomp/restrict-seccomp.yaml

 1apiVersion: policies.kyverno.io/v1alpha1
 2kind: ValidatingPolicy
 3metadata:
 4  name: restrict-seccomp
 5  annotations:
 6    policies.kyverno.io/title: Restrict Seccomp in ValidatingPolicy
 7    policies.kyverno.io/category: Pod Security Standards (Baseline) in ValidatingPolicy
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Pod
10    policies.kyverno.io/minversion: 1.14.0
11    kyverno.io/kyverno-version: 1.14.0
12    kyverno.io/kubernetes-version: "1.30+"
13    policies.kyverno.io/description: >-
14      The seccomp profile must not be explicitly set to Unconfined. This policy, 
15      requiring Kubernetes v1.30 or later, ensures that seccomp is unset or 
16      set to `RuntimeDefault` or `Localhost`.
17spec:
18  validationActions:
19     - Audit
20  evaluation:
21    background:
22      enabled: true
23  matchConstraints:
24    resourceRules:
25      - apiGroups:   [""]
26        apiVersions: ["v1"]
27        operations:  ["CREATE", "UPDATE"]
28        resources:   ["pods"]
29  variables:
30  - name: allContainers
31    expression: >-
32      object.spec.containers + 
33      object.spec.?initContainers.orValue([]) + 
34      object.spec.?ephemeralContainers.orValue([])
35  - name: allowedProfileTypes
36    expression: "['RuntimeDefault', 'Localhost']"
37  - name: hasValidSeccompProfile
38    expression: >-
39      object.spec.?securityContext.?seccompProfile.?type.orValue('Localhost') in variables.allowedProfileTypes
40  validations:
41  - expression: >-
42      variables.hasValidSeccompProfile &&
43      variables.allContainers.all(container, 
44        container.?securityContext.?seccompProfile.?type.orValue('Localhost') in variables.allowedProfileTypes)
45    message: >-
46      Use of custom Seccomp profiles is disallowed. The field 
47      `securityContext.seccompProfile.type` must be unset or set to `RuntimeDefault` or `Localhost`.
Create policy issue