kyverno/charts/kyverno-policies/templates/restricted/restrict-seccomp-strict.yaml

{{- $name := "restrict-seccomp-strict" }}
{{- if eq (include "kyverno-policies.podSecurityRestricted" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: {{ $name }}
  annotations:
    policies.kyverno.io/title: Restrict Seccomp (Strict)
    policies.kyverno.io/category: Pod Security Standards (Restricted)
    {{- if .Values.podSecuritySeverity }}
    policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
    {{- end }}
    policies.kyverno.io/subject: Pod
    kyverno.io/kyverno-version: 1.6.0
    kyverno.io/kubernetes-version: "1.22-1.23"
    policies.kyverno.io/description: >-
      The seccomp profile in the Restricted group must not be explicitly set to Unconfined
      but additionally must also not allow an unset value. This policy, 
      requiring Kubernetes v1.19 or later, ensures that seccomp is 
      set to `RuntimeDefault` or `Localhost`. A known issue prevents a policy such as this
      using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2.
spec:
  background: {{ .Values.background }}
  validationFailureAction: {{ .Values.validationFailureAction }}
  {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
  validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
  {{- end }}
  rules:
    - name: check-seccomp-strict
      match:
        any:
        - resources:
            kinds:
              - Pod
      {{- with index .Values "policyExclude" $name }}
      exclude:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with index .Values "policyPreconditions" $name }}
      preconditions:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      validate:
        message: >-
          Use of custom Seccomp profiles is disallowed. The fields
          spec.securityContext.seccompProfile.type,
          spec.containers[*].securityContext.seccompProfile.type,
          spec.initContainers[*].securityContext.seccompProfile.type, and
          spec.ephemeralContainers[*].securityContext.seccompProfile.type
          must be set to `RuntimeDefault` or `Localhost`.
        anyPattern:
        - spec:
            securityContext:
              seccompProfile:
                type: "RuntimeDefault | Localhost"
            =(ephemeralContainers):
            - =(securityContext):
                =(seccompProfile):
                  =(type): "RuntimeDefault | Localhost"
            =(initContainers):
            - =(securityContext):
                =(seccompProfile):
                  =(type): "RuntimeDefault | Localhost"
            containers:
            - =(securityContext):
                =(seccompProfile):
                  =(type): "RuntimeDefault | Localhost"
        - spec:
            =(ephemeralContainers):
            - securityContext:
                seccompProfile:
                  type: "RuntimeDefault | Localhost"
            =(initContainers):
            - securityContext:
                seccompProfile:
                  type: "RuntimeDefault | Localhost"
            containers:
            - securityContext:
                seccompProfile:
                  type: "RuntimeDefault | Localhost"
{{- end }}
Update kyverno-policies chart with latest pod-security policies (#3126) * Update kyverno-policies chart with latest pod-security policies Fixes #3063 Fixes #2277 Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Update README to have better example Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Use chart testing during e2e to test against ci values Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Fix e2e tests for Helm chart Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Fix Kyverno chart testing to actually test values, and fix networkpolicy template Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Update README for exclusion Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Allow adding 'other' policies via Helm Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Update Chart.yaml for kyverno-policies Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Bump minimum Kubernetes version in charts Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Update kyverno-policies chart readme Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Use version that should catch all pre-releases Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Use version that should catch all pre-releases (part 2) Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Use same logic to get git tag by using Makefile target for updating Helm values Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Prateek Pandey <prateekpandey14@gmail.com> 2022-02-04 01:47:36 -05:00			`{{- $name := "restrict-seccomp-strict" }}`
			`{{- if eq (include "kyverno-policies.podSecurityRestricted" (merge (dict "name" $name) .)) "true" }}`
			`apiVersion: kyverno.io/v1`
			`kind: ClusterPolicy`
			`metadata:`
			`name: {{ $name }}`
			`annotations:`
			`policies.kyverno.io/title: Restrict Seccomp (Strict)`
			`policies.kyverno.io/category: Pod Security Standards (Restricted)`
			`{{- if .Values.podSecuritySeverity }}`
			`policies.kyverno.io/severity: {{ .Values.podSecuritySeverity \| quote }}`
			`{{- end }}`
			`policies.kyverno.io/subject: Pod`
			`kyverno.io/kyverno-version: 1.6.0`
			`kyverno.io/kubernetes-version: "1.22-1.23"`
			`policies.kyverno.io/description: >-`
			`The seccomp profile in the Restricted group must not be explicitly set to Unconfined`
			`but additionally must also not allow an unset value. This policy,`
			`requiring Kubernetes v1.19 or later, ensures that seccomp is`
			set to `RuntimeDefault` or `Localhost`. A known issue prevents a policy such as this
			using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2.
			`spec:`
feat: support background mode configuration in kyverno-policies chart (#3299) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: shuting <shuting@nirmata.com> 2022-02-24 17:31:51 +01:00			`background: {{ .Values.background }}`
Update kyverno-policies chart with latest pod-security policies (#3126) * Update kyverno-policies chart with latest pod-security policies Fixes #3063 Fixes #2277 Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Update README to have better example Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Use chart testing during e2e to test against ci values Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Fix e2e tests for Helm chart Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Fix Kyverno chart testing to actually test values, and fix networkpolicy template Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Update README for exclusion Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Allow adding 'other' policies via Helm Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Update Chart.yaml for kyverno-policies Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Bump minimum Kubernetes version in charts Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Update kyverno-policies chart readme Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Use version that should catch all pre-releases Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Use version that should catch all pre-releases (part 2) Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Use same logic to get git tag by using Makefile target for updating Helm values Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Prateek Pandey <prateekpandey14@gmail.com> 2022-02-04 01:47:36 -05:00			`validationFailureAction: {{ .Values.validationFailureAction }}`
Allow setting validationFailureActionOverrides for policies (#3201) Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> 2022-02-09 03:24:35 -05:00			`{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}`
			`validationFailureActionOverrides: {{ toYaml . \| nindent 4 }}`
			`{{- end }}`
Update kyverno-policies chart with latest pod-security policies (#3126) * Update kyverno-policies chart with latest pod-security policies Fixes #3063 Fixes #2277 Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Update README to have better example Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Use chart testing during e2e to test against ci values Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Fix e2e tests for Helm chart Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Fix Kyverno chart testing to actually test values, and fix networkpolicy template Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Update README for exclusion Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Allow adding 'other' policies via Helm Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Update Chart.yaml for kyverno-policies Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Bump minimum Kubernetes version in charts Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Update kyverno-policies chart readme Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Use version that should catch all pre-releases Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Use version that should catch all pre-releases (part 2) Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Use same logic to get git tag by using Makefile target for updating Helm values Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Prateek Pandey <prateekpandey14@gmail.com> 2022-02-04 01:47:36 -05:00			`rules:`
			`- name: check-seccomp-strict`
			`match:`
			`any:`
			`- resources:`
			`kinds:`
			`- Pod`
			`{{- with index .Values "policyExclude" $name }}`
			`exclude:`
			`{{- toYaml . \| nindent 8 }}`
			`{{- end }}`
Allow kyverno-policies to have preconditions defined (#3606) * Allow kyverno-policies to have preconditions defined Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Fix docs Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> 2022-04-18 13:59:47 -04:00			`{{- with index .Values "policyPreconditions" $name }}`
			`preconditions:`
			`{{- toYaml . \| nindent 8 }}`
			`{{- end }}`
Update kyverno-policies chart with latest pod-security policies (#3126) * Update kyverno-policies chart with latest pod-security policies Fixes #3063 Fixes #2277 Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Update README to have better example Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Use chart testing during e2e to test against ci values Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Fix e2e tests for Helm chart Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Fix Kyverno chart testing to actually test values, and fix networkpolicy template Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Update README for exclusion Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Allow adding 'other' policies via Helm Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Update Chart.yaml for kyverno-policies Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Bump minimum Kubernetes version in charts Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Update kyverno-policies chart readme Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Use version that should catch all pre-releases Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Use version that should catch all pre-releases (part 2) Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Use same logic to get git tag by using Makefile target for updating Helm values Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Prateek Pandey <prateekpandey14@gmail.com> 2022-02-04 01:47:36 -05:00			`validate:`
			`message: >-`
			`Use of custom Seccomp profiles is disallowed. The fields`
			`spec.securityContext.seccompProfile.type,`
			`spec.containers[*].securityContext.seccompProfile.type,`
			`spec.initContainers[*].securityContext.seccompProfile.type, and`
			`spec.ephemeralContainers[*].securityContext.seccompProfile.type`
			must be set to `RuntimeDefault` or `Localhost`.
			`anyPattern:`
			`- spec:`
			`securityContext:`
			`seccompProfile:`
			`type: "RuntimeDefault \| Localhost"`
			`=(ephemeralContainers):`
			`- =(securityContext):`
			`=(seccompProfile):`
			`=(type): "RuntimeDefault \| Localhost"`
			`=(initContainers):`
			`- =(securityContext):`
			`=(seccompProfile):`
			`=(type): "RuntimeDefault \| Localhost"`
			`containers:`
			`- =(securityContext):`
			`=(seccompProfile):`
			`=(type): "RuntimeDefault \| Localhost"`
			`- spec:`
			`=(ephemeralContainers):`
			`- securityContext:`
			`seccompProfile:`
			`type: "RuntimeDefault \| Localhost"`
			`=(initContainers):`
			`- securityContext:`
			`seccompProfile:`
			`type: "RuntimeDefault \| Localhost"`
			`containers:`
			`- securityContext:`
			`seccompProfile:`
			`type: "RuntimeDefault \| Localhost"`
			`{{- end }}`