---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  annotations:
    policies.kyverno.io/category: Security
    policies.kyverno.io/description: Seccomp Profiles restrict the system calls that
      can be made from a process. The Linux kernel has a few hundred system calls,
      but most of them are not needed by any given process. If a process can be compromised
      and tricked into making other system calls, though, it may lead to a security
      vulnerability that could result in the compromise of the whole system. By restricting
      what system calls can be made, seccomp is a key component for building application
      sandboxes.
  name: add-pod-default-seccompprofile
spec:
  admission: true
  background: false
  rules:
  - exclude:
      any:
      - resources:
          namespaces:
          - kube-system
          - kube-public
          - default
          - kyverno
    match:
      any:
      - resources:
          kinds:
          - Pod
    mutate:
      patchStrategicMerge:
        spec:
          securityContext:
            seccompProfile:
              type: RuntimeDefault
    name: add-pod-default-seccompprofile
  validationFailureAction: Audit