53 lines
1.6 KiB
YAML
53 lines
1.6 KiB
YAML
apiVersion: kyverno.io/v1
|
|
kind: ClusterPolicy
|
|
metadata:
|
|
name: require-seccomp-profile
|
|
annotations:
|
|
policies.kyverno.io/title: "Обязательный Seccomp профиль"
|
|
policies.kyverno.io/category: Pod Security Standards (Restricted)
|
|
policies.kyverno.io/severity: medium
|
|
policies.kyverno.io/subject: Pod
|
|
policies.kyverno.io/description: >-
|
|
Seccomp ограничивает системные вызовы контейнера, уменьшая
|
|
поверхность атаки на ядро Linux.
|
|
Используйте RuntimeDefault (профиль рантайма) или Localhost (кастомный).
|
|
spec:
|
|
validationFailureAction: Enforce
|
|
background: true
|
|
rules:
|
|
- name: require-seccomp-profile
|
|
match:
|
|
resources:
|
|
kinds:
|
|
- Pod
|
|
exclude:
|
|
resources:
|
|
namespaces:
|
|
- kube-system
|
|
validate:
|
|
message: >-
|
|
Под '{{ request.object.metadata.name }}' не имеет seccomp профиля.
|
|
Добавьте в spec.securityContext:
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
pattern:
|
|
spec:
|
|
securityContext:
|
|
seccompProfile:
|
|
type: "RuntimeDefault | Localhost"
|
|
|
|
- name: disallow-unconfined-seccomp
|
|
match:
|
|
resources:
|
|
kinds:
|
|
- Pod
|
|
validate:
|
|
message: >-
|
|
Тип Unconfined отключает seccomp защиту. Используйте RuntimeDefault.
|
|
deny:
|
|
conditions:
|
|
any:
|
|
- key: "{{ request.object.spec.securityContext.seccompProfile.type }}"
|
|
operator: Equals
|
|
value: Unconfined
|