Restrict Seccomp Strict

Description

Seccomp profile must be explicitly set to one of the allowed values. Both the Unconfined profile and the absence of a profile are prohibited. This is Linux only policy in v1.25+ (spec.os.name != windows)

Restricted Fields

  • spec.securityContext.seccompProfile.type
  • spec.containers[*].securityContext.seccompProfile.type
  • spec.initContainers[*].securityContext.seccompProfile.type
  • spec.ephemeralContainers[*].securityContext.seccompProfile.type

Allowed Values

  • RuntimeDefault
  • Localhost

Kyverno Policy

Refer to the Nirmata curated policies - restrict-seccomp-strict.yaml

References

Configuration Settings

Use of custom Seccomp profiles is disallowed. The fields spec.securityContext.seccompProfile.type, spec.containers[*].securityContext.seccompProfile.type, spec.initContainers[*].securityContext.seccompProfile.type, and spec.ephemeralContainers[*].securityContext.seccompProfile.type must be set to RuntimeDefault or Localhost.

securityContext:
  seccompProfile:
    type: "RuntimeDefault | Localhost"
=(ephemeralContainers):
- =(securityContext):
    =(seccompProfile):
      =(type): "RuntimeDefault | Localhost"
=(initContainers):
- =(securityContext):
    =(seccompProfile):
      =(type): "RuntimeDefault | Localhost"
containers:
- =(securityContext):
    =(seccompProfile):
      =(type): "RuntimeDefault | Localhost"

Resource Example

Below is a Deployment resource example where securityContext.seccompProfile.type is set to either RuntimeDefault or Localhost for all initContainers, containers, and spec.securityContext.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: gooddeployment
spec:
  replicas: 1
  selector:
    matchLabels:
      app: app
  template:
    metadata:
      labels:
        app: app
    spec:
      initContainers:
      - name: initcontainer01
        image: dummyimagename
        securityContext:
          seccompProfile:
            type: Localhost
            localhostProfile: operator/default/profile1.json
      - name: initcontainer02
        image: dummyimagename
        securityContext:
          seccompProfile:
            type: RuntimeDefault
      containers:
      - name: container01
        image: dummyimagename
      securityContext:
        seccompProfile:
          type: RuntimeDefault