mirror of
https://github.com/kyverno/kyverno.git
synced 2025-01-20 18:52:16 +00:00
1.3 KiB
1.3 KiB
Add RuntimeDefault Seccomp Profile Security Context to pods
Seccomp Profiles restrict the system calls that can be made from a process. The Linux kernel has a few hundred system calls, but most of them are not needed by any given process. If a process can be compromised and tricked into making other system calls, though, it may lead to a security vulnerability that could result in the compromise of the whole system. By restricting what system calls can be made, seccomp is a key component for building application sandboxes. https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp
Policy YAML
add_pod_default_seccompprofile.yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: add-pod-default-seccompprofile
annotations:
policies.kyverno.io/category: Security
spec:
background: false
validationFailureAction: audit
rules:
- name: add-pod-default-seccompprofile
match:
resources:
kinds:
- Pod
exclude:
resources:
namespaces:
- "kube-system"
- "kube-public"
- "default"
- "kyverno"
mutate:
patchStrategicMerge:
spec:
securityContext:
seccompProfile:
type: RuntimeDefault