Restrict Seccomp
Description
Seccomp profile must not be explicitly set to Unconfined.
Restricted Fields
- spec.securityContext.seccompProfile.type
- spec.containers[*].securityContext.seccompProfile.type
- spec.initContainers[*].securityContext.seccompProfile.type
- spec.ephemeralContainers[*].securityContext.seccompProfile.type
Allowed Values
- Undefined/nil
- RuntimeDefault
- Localhost
Kyverno Policy
Refer to the Nirmata curated policies - restrict-seccomp.yaml
References
Configuration Settings
The below configuration indicates that if the deployed resource contains one of ephemeralContainers or initContainers or containers in their spec field, AND if securityContext.seccompProfile.type field is present, then the only acceptable values are RuntimeDefault or Localhost to be conformant with this security control. If the securityContext.seccompProfile.type field is not present, then the resource is conformant by default.
=(securityContext):
=(seccompProfile):
=(type): "RuntimeDefault | Localhost"
=(ephemeralContainers):
- =(securityContext):
=(seccompProfile):
=(type): "RuntimeDefault | Localhost"
=(initContainers):
- =(securityContext):
=(seccompProfile):
=(type): "RuntimeDefault | Localhost"
containers:
- =(securityContext):
=(seccompProfile):
=(type): "RuntimeDefault | Localhost"
Resource Example
Below is a Deployment resource example where securityContext.seccompProfile.type is set to either Localhost or RuntimeDefault for both initContainers and containers.
apiVersion: apps/v1
kind: Deployment
metadata:
name: gooddeployment
spec:
replicas: 1
selector:
matchLabels:
app: app
template:
metadata:
labels:
app: app
spec:
initContainers:
- name: initcontainer01
image: dummyimagename
securityContext:
seccompProfile:
type: Localhost
localhostProfile: operator/default/profile1.json
- name: initcontainer02
image: dummyimagename
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: container01
image: dummyimagename