fix: use newer seccompProfile spec in mutation (#599)

Older is ignored Signed-off-by: Mathieu Parent <[email protected]> Co-authored-by: Rita Zhang <[email protected]>
open-policy-agent · Oct 29, 2024 · da229ba · da229ba
1 parent af24955
commit da229ba
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 16 deletions.
diff --git a/mutation/pod-security-policy/seccomp/samples/mutation.yaml b/mutation/pod-security-policy/seccomp/samples/mutation.yaml
@@ -1,14 +1,17 @@
 apiVersion: mutations.gatekeeper.sh/v1
-kind: AssignMetadata
+kind: Assign
 metadata:
   name: k8spspseccomp
 spec:
-  match:
-    scope: Namespaced
-    kinds:
-    - apiGroups: [""]
-      kinds: ["Pod"]
-  location: metadata.annotations."seccomp.security.alpha.kubernetes.io/pod"
+  applyTo:
+  - groups: [""]
+    kinds: ["Pod"]
+    versions: ["v1"]
+  location: spec.securityContext.seccompProfile
   parameters:
+    pathTests:
+    - subPath: spec.securityContext.seccompProfile
+      condition: MustNotExist
     assign:
-      value: runtime/default
+      value:
+        type: RuntimeDefault
diff --git a/website/docs/mutation-examples/seccomp.md b/website/docs/mutation-examples/seccomp.md
@@ -12,18 +12,21 @@ kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-
 ## Mutation Examples
 ```yaml
 apiVersion: mutations.gatekeeper.sh/v1
-kind: AssignMetadata
+kind: Assign
 metadata:
   name: k8spspseccomp
 spec:
-  match:
-    scope: Namespaced
-    kinds:
-    - apiGroups: [""]
-      kinds: ["Pod"]
-  location: metadata.annotations."seccomp.security.alpha.kubernetes.io/pod"
+  applyTo:
+  - groups: [""]
+    kinds: ["Pod"]
+    versions: ["v1"]
+  location: spec.securityContext.seccompProfile
   parameters:
+    pathTests:
+    - subPath: spec.securityContext.seccompProfile
+      condition: MustNotExist
     assign:
-      value: runtime/default
+      value:
+        type: RuntimeDefault
 
 ```