-
Notifications
You must be signed in to change notification settings - Fork 52
/
seccomp.yaml
55 lines (55 loc) · 2.45 KB
/
seccomp.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
# Copyright 2024 Google LLC
#
# This is “Software” that is licensed under the “General Software” section of
# the Service Specific Terms (https://cloud.google.com/terms/service-terms) for
# usage in accordance with the following “Scope of Use”: This file may only be
# used on an Anthos cluster, including any associated ci/cd use. “Anthos
# cluster” is defined as “A Cluster (of any kind) registered to a fleet project
# where the Anthos API is enabled”.
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPSeccomp
metadata:
name: nsa-cisa-k8s-v1.2-seccomp
labels:
policycontroller.gke.io/bundleName: nsa-cisa-k8s-v1.2
annotations:
policycontroller.gke.io/bundleVersion: "202312.1"
policycontroller.gke.io/constraintData: |-
"{
bundleName: 'nsa-cisa-k8s-v1.2',
bundleDisplayName: 'NSA CISA Kubernetes Hardening Guide v1.2',
bundleLink: 'https://cloud.google.com/anthos-config-management/docs/how-to/using-nsa-cisa-k8s-v1.2',
bundleVersion: '202312.1',
bundleDescription: 'Use the NSA CISA Kubernetes Hardening Guide v1.2 policy bundle with Policy Controller to evaluate the compliance of your cluster resources against some aspects of the NSA CISA Kubernetes Hardening Guide v1.2.',
controlNumbers: '[]',
severity: 'Medium',
description: 'Seccomp profile must not be set to `Unconfined`. https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline',
remediation: 'Containers cannot run with `seccomp` profile set to `Unconfined`. Remove or set your containers `seccomp` annotation to `RuntimeDefault` or `Localhost`. See "Set the Seccomp Profile for a Container" for more information: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-seccomp-profile-for-a-container',
minimumTemplateLibraryVersion: '1.11.1',
constraintHash: '43c2d65bb216ca39a0e18e1a11ac5a1c9a0fb4d6d0bacedce6c8c0c95792a1ef'
}"
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
excludedNamespaces:
- kube-system
- gatekeeper-system
- config-management-monitoring
- config-management-system
- asm-system
- resource-group-system
- istio-system
- gke-connect
parameters:
allowedProfiles:
- RuntimeDefault
- Localhost
- not configured
exemptImages:
- gcr.io/gke-release/asm/proxyv2:*
- gcr.io/anthos-baremetal-release/*