mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-05 07:26:55 +00:00
add Seccomp securityContext example (#1411)
Signed-off-by: gmay <mrgregmay@gmail.com>
This commit is contained in:
parent
3c5f9f8888
commit
a6be0912ae
3 changed files with 74 additions and 0 deletions
39
samples/AddSeccompProfile.md
Normal file
39
samples/AddSeccompProfile.md
Normal file
|
@ -0,0 +1,39 @@
|
|||
# Add RuntimeDefault Seccomp Profile Security Context to pods
|
||||
|
||||
Seccomp Profiles restrict the system calls that can be made from a process. The Linux kernel has a few hundred system calls, but most of them are not needed by any given process. If a process can be compromised and tricked into making other system calls, though, it may lead to a security vulnerability that could result in the compromise of the whole system. By restricting what system calls can be made, seccomp is a key component for building application sandboxes. https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp
|
||||
|
||||
|
||||
## Policy YAML
|
||||
|
||||
[add_pod_default_seccompprofile.yaml](more/add_pod_default_seccompprofile.yaml)
|
||||
|
||||
```yaml
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: add-pod-default-seccompprofile
|
||||
annotations:
|
||||
policies.kyverno.io/category: Security
|
||||
spec:
|
||||
background: false
|
||||
validationFailureAction: audit
|
||||
rules:
|
||||
- name: add-pod-default-seccompprofile
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- Pod
|
||||
exclude:
|
||||
resources:
|
||||
namespaces:
|
||||
- "kube-system"
|
||||
- "kube-public"
|
||||
- "default"
|
||||
- "kyverno"
|
||||
mutate:
|
||||
patchStrategicMerge:
|
||||
spec:
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
```
|
|
@ -45,6 +45,7 @@ These policies provide additional best practices and are worthy of close conside
|
|||
1. [Disallow mounting Secrets as environment variables](DisallowSecretsFromEnvVars.md)
|
||||
1. [Add default labels](AddDefaultLabels.md)
|
||||
1. [Require all Pods drop all capabilities](RequirePodsDropAll.md)
|
||||
1. [Add seccompProfile securityContext ](AddSeccompProfile.md)
|
||||
|
||||
## Miscellaneous Policies
|
||||
|
||||
|
|
34
samples/more/add_pod_default_seccompprofile.yaml
Normal file
34
samples/more/add_pod_default_seccompprofile.yaml
Normal file
|
@ -0,0 +1,34 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: add-pod-default-seccompprofile
|
||||
annotations:
|
||||
policies.kyverno.io/category: Security
|
||||
policies.kyverno.io/description: Seccomp Profiles restrict the system calls that can be made
|
||||
from a process. The Linux kernel has a few hundred system calls, but most of them are not
|
||||
needed by any given process. If a process can be compromised and tricked into making other
|
||||
system calls, though, it may lead to a security vulnerability that could result in the
|
||||
compromise of the whole system. By restricting what system calls can be made, seccomp is
|
||||
a key component for building application sandboxes.
|
||||
spec:
|
||||
background: false
|
||||
validationFailureAction: audit
|
||||
rules:
|
||||
- name: add-pod-default-seccompprofile
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- Pod
|
||||
exclude:
|
||||
resources:
|
||||
namespaces:
|
||||
- "kube-system"
|
||||
- "kube-public"
|
||||
- "default"
|
||||
- "kyverno"
|
||||
mutate:
|
||||
patchStrategicMerge:
|
||||
spec:
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
Loading…
Add table
Reference in a new issue