Description
Seccomp profile must be explicitly set to one of the allowed values. Both the Unconfined profile and the absence of a profile are prohibited. This is Linux only policy
in v1.25+ (spec.os.name != windows)
Restricted Fields
- spec.securityContext.seccompProfile.type
- spec.containers[*].securityContext.seccompProfile.type
- spec.initContainers[*].securityContext.seccompProfile.type
- spec.ephemeralContainers[*].securityContext.seccompProfile.type
Allowed Values
- RuntimeDefault
- Localhost
Kyverno Policy
Refer to the Nirmata curated policies - restrict-seccomp-strict.yaml
References
Configuration Settings
Use of custom Seccomp profiles is disallowed. The fields spec.securityContext.seccompProfile.type, spec.containers[*].securityContext.seccompProfile.type, spec.initContainers[*].securityContext.seccompProfile.type, and spec.ephemeralContainers[*].securityContext.seccompProfile.type must be set to RuntimeDefault or Localhost.
securityContext:
seccompProfile:
type: "RuntimeDefault | Localhost"
=(ephemeralContainers):
- =(securityContext):
=(seccompProfile):
=(type): "RuntimeDefault | Localhost"
=(initContainers):
- =(securityContext):
=(seccompProfile):
=(type): "RuntimeDefault | Localhost"
containers:
- =(securityContext):
=(seccompProfile):
=(type): "RuntimeDefault | Localhost"
Resource Example
Below is a Deployment resource example where securityContext.seccompProfile.type is set to either RuntimeDefault or Localhost for all initContainers, containers, and spec.securityContext.
apiVersion: apps/v1
kind: Deployment
metadata:
name: gooddeployment
spec:
replicas: 1
selector:
matchLabels:
app: app
template:
metadata:
labels:
app: app
spec:
initContainers:
- name: initcontainer01
image: dummyimagename
securityContext:
seccompProfile:
type: Localhost
localhostProfile: operator/default/profile1.json
- name: initcontainer02
image: dummyimagename
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: container01
image: dummyimagename
securityContext:
seccompProfile:
type: RuntimeDefault