# Add RuntimeDefault Seccomp Profile Security Context to pods

Seccomp Profiles restrict the system calls that can be made from a process. The Linux kernel has a few hundred system calls, but most of them are not needed by any given process. If a process can be compromised and tricked into making other system calls, though, it may lead to a security vulnerability that could result in the compromise of the whole system. By restricting what system calls can be made, seccomp is a key component for building application sandboxes. https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp


## Policy YAML

[add_pod_default_seccompprofile.yaml](more/add_pod_default_seccompprofile.yaml)

```yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: add-pod-default-seccompprofile
  annotations:
    policies.kyverno.io/category: Security
spec:
  background: false
  validationFailureAction: audit
  rules:
  - name: add-pod-default-seccompprofile
    match:
      resources:
        kinds:
        - Pod
    exclude:
      resources:
        namespaces:
          - "kube-system"
          - "kube-public"
          - "default"
          - "kyverno"
    mutate:
      patchStrategicMerge:
        spec:
          securityContext:
            seccompProfile:
              type: RuntimeDefault
```