---
title: "Restrict Seccomp Strict"
url: https://docs.nirmata.io/docs/policy-sets/podsecurity/restricted/restrict-seccomp-strict/
---



### Description
Seccomp profile must be explicitly set to one of the allowed values. Both the Unconfined profile and the absence of a profile are prohibited. [This is Linux only policy](https://kubernetes.io/docs/concepts/security/pod-security-standards/#os-specific-policy-controls) in v1.25+ (`spec.os.name != windows`)

**Restricted Fields**
* spec.securityContext.seccompProfile.type
* spec.containers[*].securityContext.seccompProfile.type
* spec.initContainers[*].securityContext.seccompProfile.type
* spec.ephemeralContainers[*].securityContext.seccompProfile.type

**Allowed Values**
* RuntimeDefault
* Localhost

### Risks
Seccomp operates based on rules that are present within a file called seccomp profile. It is recommended that users do not use the `Unconfined` profile as it allows containers to invoke any syscall. Many syscalls are harmless, but others can be used to escalate privileges, adjust kernel settings, or perform other undesirable actions. Having a seccomp profile in place can help reduce the attack surface by restricting the syscalls that can be made.

### Kyverno Policy
Refer to the Nirmata curated policies - [restrict-seccomp-strict.yaml](https://github.com/nirmata/kyverno-policies/blob/main/pod-security/restricted/restrict-seccomp-strict/restrict-seccomp-strict.yaml)

### References
#### Configuration Settings
Use of custom Seccomp profiles is disallowed. The fields `spec.securityContext.seccompProfile.type`, `spec.containers[*].securityContext.seccompProfile.type`, `spec.initContainers[*].securityContext.seccompProfile.type`, and `spec.ephemeralContainers[*].securityContext.seccompProfile.type` must be set to `RuntimeDefault` or `Localhost`.

```bash
securityContext:
  seccompProfile:
    type: "RuntimeDefault | Localhost"
=(ephemeralContainers):
- =(securityContext):
    =(seccompProfile):
      =(type): "RuntimeDefault | Localhost"
=(initContainers):
- =(securityContext):
    =(seccompProfile):
      =(type): "RuntimeDefault | Localhost"
containers:
- =(securityContext):
    =(seccompProfile):
      =(type): "RuntimeDefault | Localhost"
```

#### Resource Example
Below is a `Deployment` resource example where `securityContext.seccompProfile.type` is set to either `RuntimeDefault` or `Localhost` for all `initContainers`, `containers`, and `spec.securityContext`.

```bash
apiVersion: apps/v1
kind: Deployment
metadata:
  name: gooddeployment
spec:
  replicas: 1
  selector:
    matchLabels:
      app: app
  template:
    metadata:
      labels:
        app: app
    spec:
      initContainers:
      - name: initcontainer01
        image: dummyimagename
        securityContext:
          seccompProfile:
            type: Localhost
            localhostProfile: operator/default/profile1.json
      - name: initcontainer02
        image: dummyimagename
        securityContext:
          seccompProfile:
            type: RuntimeDefault
      containers:
      - name: container01
        image: dummyimagename
      securityContext:
        seccompProfile:
          type: RuntimeDefault
```text