add Seccomp securityContext example (#1411)

Signed-off-by: gmay <mrgregmay@gmail.com>

samples/AddSeccompProfile.md

@@ -0,0 +1,39 @@
+# Add RuntimeDefault Seccomp Profile Security Context to pods
+
+Seccomp Profiles restrict the system calls that can be made from a process. The Linux kernel has a few hundred system calls, but most of them are not needed by any given process. If a process can be compromised and tricked into making other system calls, though, it may lead to a security vulnerability that could result in the compromise of the whole system. By restricting what system calls can be made, seccomp is a key component for building application sandboxes. https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp
+
+
+## Policy YAML
+
+[add_pod_default_seccompprofile.yaml](more/add_pod_default_seccompprofile.yaml)
+
+```yaml
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: add-pod-default-seccompprofile
+  annotations:
+    policies.kyverno.io/category: Security
+spec:
+  background: false
+  validationFailureAction: audit
+  rules:
+  - name: add-pod-default-seccompprofile
+    match:
+      resources:
+        kinds:
+        - Pod
+    exclude:
+      resources:
+        namespaces:
+          - "kube-system"
+          - "kube-public"
+          - "default"
+          - "kyverno"
+    mutate:
+      patchStrategicMerge:
+        spec:
+          securityContext:
+            seccompProfile:
+              type: RuntimeDefault
+```

samples/README.md

@@ -45,6 +45,7 @@ These policies provide additional best practices and are worthy of close conside
 1. [Disallow mounting Secrets as environment variables](DisallowSecretsFromEnvVars.md)
 1. [Add default labels](AddDefaultLabels.md)
 1. [Require all Pods drop all capabilities](RequirePodsDropAll.md)
+1. [Add seccompProfile securityContext ](AddSeccompProfile.md)
 
 ## Miscellaneous Policies
 

samples/more/add_pod_default_seccompprofile.yaml

@@ -0,0 +1,34 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: add-pod-default-seccompprofile
+  annotations:
+    policies.kyverno.io/category: Security
+    policies.kyverno.io/description: Seccomp Profiles restrict the system calls that can be made
+      from a process. The Linux kernel has a few hundred system calls, but most of them are not
+      needed by any given process. If a process can be compromised and tricked into making other
+      system calls, though, it may lead to a security vulnerability that could result in the
+      compromise of the whole system. By restricting what system calls can be made, seccomp is
+      a key component for building application sandboxes.
+spec:
+  background: false
+  validationFailureAction: audit
+  rules:
+  - name: add-pod-default-seccompprofile
+    match:
+      resources:
+        kinds:
+        - Pod
+    exclude:
+      resources:
+        namespaces:
+          - "kube-system"
+          - "kube-public"
+          - "default"
+          - "kyverno"
+    mutate:
+      patchStrategicMerge:
+        spec:
+          securityContext:
+            seccompProfile:
+              type: RuntimeDefault