The seccomp profile must not be explicitly set to Unconfined. This policy, requiring Kubernetes v1.30 or later, ensures that seccomp is unset or set to `RuntimeDefault` or `Localhost`.
apiVersion: policies.kyverno.io/v1alpha1kind: ValidatingPolicymetadata:name: restrict-seccompannotations:policies.kyverno.io/title: Restrict Seccomp in ValidatingPolicypolicies.kyverno.io/category: Pod Security Standards (Baseline) in ValidatingPolicypolicies.kyverno.io/severity: mediumpolicies.kyverno.io/subject: Podpolicies.kyverno.io/minversion: 1.14.0kyverno.io/kyverno-version: 1.14.0kyverno.io/kubernetes-version: 1.30+policies.kyverno.io/description: The seccomp profile must not be explicitly set to Unconfined. This policy, requiring Kubernetes v1.30 or later, ensures that seccomp is unset or set to `RuntimeDefault` or `Localhost`.spec:validationActions:- Auditevaluation:background:enabled: truematchConstraints:resourceRules:- apiGroups:- ""apiVersions:- v1operations:- CREATE- UPDATEresources:- podsvariables:- name: allContainersexpression: object.spec.containers + object.spec.?initContainers.orValue([]) + object.spec.?ephemeralContainers.orValue([])- name: allowedProfileTypesexpression: "['RuntimeDefault', 'Localhost']"- name: hasValidSeccompProfileexpression: object.spec.?securityContext.?seccompProfile.?type.orValue('Localhost') in variables.allowedProfileTypesvalidations:- expression: |-variables.hasValidSeccompProfile && variables.allContainers.all(container,container.?securityContext.?seccompProfile.?type.orValue('Localhost') in variables.allowedProfileTypes)message: Use of custom Seccomp profiles is disallowed. The field `securityContext.seccompProfile.type` must be unset or set to `RuntimeDefault` or `Localhost`.
This policy prevents the use of the default project in an Application.
This policy prevents updates to the project field after an Application is created.
This policy ensures that the name of the ApplicationSet is the same value provided in the project.