add kyverno policies

Signed-off-by: gwg313 <gwg313@pm.me>
This commit is contained in:
gwg313 2026-05-27 19:23:54 -04:00
parent 4be877e419
commit baa0216960
Signed by: gwg313
GPG key ID: 60FF63B4826B7400
35 changed files with 843 additions and 39 deletions

View file

@ -0,0 +1,52 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: require-seccomp-runtime-default
spec:
validationFailureAction: Enforce
background: true
rules:
- name: require-pod-seccomp-runtime-default
match:
any:
- resources:
kinds:
- Pod
validate:
message: "Pod seccompProfile.type must be RuntimeDefault."
pattern:
spec:
securityContext:
seccompProfile:
type: RuntimeDefault
- name: require-container-seccomp-runtime-default
match:
any:
- resources:
kinds:
- Pod
validate:
message: "All containers must use RuntimeDefault seccomp."
foreach:
- list: "request.object.spec.containers"
pattern:
securityContext:
seccompProfile:
type: RuntimeDefault
- list: "request.object.spec.initContainers"
pattern:
securityContext:
seccompProfile:
type: RuntimeDefault
- list: "request.object.spec.ephemeralContainers"
pattern:
securityContext:
seccompProfile:
type: RuntimeDefault