1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-16 20:48:42 +00:00
kyverno/samples/more/add_pod_default_seccompprofile.yaml
Gregory May a6be0912ae
add Seccomp securityContext example (#1411)
Signed-off-by: gmay <mrgregmay@gmail.com>
2020-12-21 11:04:41 -08:00

34 lines
No EOL
1.1 KiB
YAML

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: add-pod-default-seccompprofile
annotations:
policies.kyverno.io/category: Security
policies.kyverno.io/description: Seccomp Profiles restrict the system calls that can be made
from a process. The Linux kernel has a few hundred system calls, but most of them are not
needed by any given process. If a process can be compromised and tricked into making other
system calls, though, it may lead to a security vulnerability that could result in the
compromise of the whole system. By restricting what system calls can be made, seccomp is
a key component for building application sandboxes.
spec:
background: false
validationFailureAction: audit
rules:
- name: add-pod-default-seccompprofile
match:
resources:
kinds:
- Pod
exclude:
resources:
namespaces:
- "kube-system"
- "kube-public"
- "default"
- "kyverno"
mutate:
patchStrategicMerge:
spec:
securityContext:
seccompProfile:
type: RuntimeDefault