mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-06 16:06:56 +00:00
34 lines
1.1 KiB
YAML
34 lines
1.1 KiB
YAML
|
apiVersion: kyverno.io/v1
|
||
|
|
kind: ClusterPolicy
|
||
|
|
metadata:
|
||
|
|
name: add-pod-default-seccompprofile
|
||
|
|
annotations:
|
||
|
|
policies.kyverno.io/category: Security
|
||
|
|
policies.kyverno.io/description: Seccomp Profiles restrict the system calls that can be made
|
||
|
|
from a process. The Linux kernel has a few hundred system calls, but most of them are not
|
||
|
|
needed by any given process. If a process can be compromised and tricked into making other
|
||
|
|
system calls, though, it may lead to a security vulnerability that could result in the
|
||
|
|
compromise of the whole system. By restricting what system calls can be made, seccomp is
|
||
|
|
a key component for building application sandboxes.
|
||
|
|
spec:
|
||
|
|
background: false
|
||
|
|
validationFailureAction: audit
|
||
|
|
rules:
|
||
|
|
- name: add-pod-default-seccompprofile
|
||
|
|
match:
|
||
|
|
resources:
|
||
|
|
kinds:
|
||
|
|
- Pod
|
||
|
|
exclude:
|
||
|
|
resources:
|
||
|
|
namespaces:
|
||
|
|
- "kube-system"
|
||
|
|
- "kube-public"
|
||
|
|
- "default"
|
||
|
|
- "kyverno"
|
||
|
|
mutate:
|
||
|
|
patchStrategicMerge:
|
||
|
|
spec:
|
||
|
|
securityContext:
|
||
|
|
seccompProfile:
|
||
|
|
type: RuntimeDefault
|