{{- $name := "restrict-seccomp" }} {{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }} apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: {{ $name }} annotations: policies.kyverno.io/title: Restrict Seccomp policies.kyverno.io/category: Pod Security Standards (Baseline) {{- if .Values.podSecuritySeverity }} policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }} {{- end }} policies.kyverno.io/subject: Pod kyverno.io/kyverno-version: 1.6.0 kyverno.io/kubernetes-version: "1.22-1.23" policies.kyverno.io/description: >- The seccomp profile must not be explicitly set to Unconfined. This policy, requiring Kubernetes v1.19 or later, ensures that seccomp is unset or set to `RuntimeDefault` or `Localhost`. spec: background: {{ .Values.background }} validationFailureAction: {{ .Values.validationFailureAction }} {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} validationFailureActionOverrides: {{ toYaml . | nindent 4 }} {{- end }} rules: - name: check-seccomp match: any: - resources: kinds: - Pod {{- with index .Values "policyExclude" $name }} exclude: {{- toYaml . | nindent 8 }} {{- end }} validate: message: >- Use of custom Seccomp profiles is disallowed. The fields spec.securityContext.seccompProfile.type, spec.containers[*].securityContext.seccompProfile.type, spec.initContainers[*].securityContext.seccompProfile.type, and spec.ephemeralContainers[*].securityContext.seccompProfile.type must be unset or set to `RuntimeDefault` or `Localhost`. pattern: spec: =(securityContext): =(seccompProfile): =(type): "RuntimeDefault | Localhost" =(ephemeralContainers): - =(securityContext): =(seccompProfile): =(type): "RuntimeDefault | Localhost" =(initContainers): - =(securityContext): =(seccompProfile): =(type): "RuntimeDefault | Localhost" containers: - =(securityContext): =(seccompProfile): =(type): "RuntimeDefault | Localhost" {{- end }}