mirror of
https://github.com/kyverno/kyverno.git
synced 2025-01-20 18:52:16 +00:00
39 lines
1.2 KiB
YAML
39 lines
1.2 KiB
YAML
---
|
|
apiVersion: kyverno.io/v1
|
|
kind: ClusterPolicy
|
|
metadata:
|
|
annotations:
|
|
policies.kyverno.io/category: Security
|
|
policies.kyverno.io/description: Seccomp Profiles restrict the system calls that
|
|
can be made from a process. The Linux kernel has a few hundred system calls,
|
|
but most of them are not needed by any given process. If a process can be compromised
|
|
and tricked into making other system calls, though, it may lead to a security
|
|
vulnerability that could result in the compromise of the whole system. By restricting
|
|
what system calls can be made, seccomp is a key component for building application
|
|
sandboxes.
|
|
name: add-pod-default-seccompprofile
|
|
spec:
|
|
admission: true
|
|
background: false
|
|
rules:
|
|
- exclude:
|
|
any:
|
|
- resources:
|
|
namespaces:
|
|
- kube-system
|
|
- kube-public
|
|
- default
|
|
- kyverno
|
|
match:
|
|
any:
|
|
- resources:
|
|
kinds:
|
|
- Pod
|
|
mutate:
|
|
patchStrategicMerge:
|
|
spec:
|
|
securityContext:
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
name: add-pod-default-seccompprofile
|
|
validationFailureAction: Audit
|