open-policy-agent · JaydipGabani · Oct 28, 2024 · Jun 3, 2024 · Jun 3, 2024 · Jun 3, 2024
@@ -0,0 +1,22 @@
+version: 1.1.0
+name: k8spspseccomp
+displayName: Seccomp
+createdAt: "2024-06-03T13:44:11Z"
+description: Controls the seccomp profile used by containers. Corresponds to the `seccomp.security.alpha.kubernetes.io/allowedProfileNames` annotation on a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp
+digest: 483941dab0df9cb51189b131e309bf927928b69b46ed51986d2f51e30fe758af
+license: Apache-2.0
+homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/seccomp
+keywords:
+    - gatekeeper
+    - open-policy-agent
+    - policies
+readme: |-
+    # Seccomp
+    Controls the seccomp profile used by containers. Corresponds to the `seccomp.security.alpha.kubernetes.io/allowedProfileNames` annotation on a PodSecurityPolicy. For more information, see https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp
+install: |-
+    ### Usage
+    ```shell
+    kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/pod-security-policy/seccomp/1.1.0/template.yaml
+    ```
+provider:
+    name: Gatekeeper Library
@@ -0,0 +1,2 @@
+resources:
+  - template.yaml
@@ -0,0 +1,15 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sPSPSeccomp
+metadata:
+  name: psp-seccomp
+spec:
+  match:
+    kinds:
+      - apiGroups: [""]
+        kinds: ["Pod"]
+  parameters:
+    exemptImages:
+    - nginx-exempt
+    allowedProfiles:
+    - runtime/default
+    - localhost/profile.json
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-seccomp-disallowed
+  annotations:
+    container.seccomp.security.alpha.kubernetes.io/nginx: unconfined
+  labels:
+    app: nginx-seccomp
+spec:
+  ephemeralContainers:
+  - name: nginx
+    image: nginx
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-seccomp-allowed
+  annotations:
+    container.seccomp.security.alpha.kubernetes.io/nginx: runtime/default
+  labels:
+    app: nginx-seccomp
+spec:
+  containers:
+  - name: nginx
+    image: nginx
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-seccomp-allowed2
+  annotations:
+    seccomp.security.alpha.kubernetes.io/pod: runtime/default
+  labels:
+    app: nginx-seccomp
+spec:
+  containers:
+  - name: nginx
+    image: nginx
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-seccomp-disallowed
+  labels:
+    app: nginx-seccomp
+spec:
+  containers:
+  - name: nginx
+    image: nginx-exempt
+    securityContext:
+      seccompProfile:
+        type: Unconfined
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-seccomp-allowed-localhost
+  labels:
+    app: nginx-seccomp
+spec:
+  containers:
+  - name: nginx
+    image: nginx
+    securityContext:
+      seccompProfile:
+        type: Localhost
+        localhostProfile: profile.json
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-seccomp-disallowed
+  annotations:
+    container.seccomp.security.alpha.kubernetes.io/nginx: unconfined
+  labels:
+    app: nginx-seccomp
+spec:
+  containers:
+  - name: nginx
+    image: nginx
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-seccomp-disallowed2
+  annotations:
+    seccomp.security.alpha.kubernetes.io/pod: unconfined
+  labels:
+    app: nginx-seccomp
+spec:
+  containers:
+  - name: nginx
+    image: nginx
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-seccomp-disallowed-localhost
+  labels:
+    app: nginx-seccomp
+spec:
+  containers:
+  - name: nginx
+    image: nginx
+    securityContext:
+      seccompProfile:
+        type: Localhost
+        localhostProfile: profile.log
@@ -0,0 +1,45 @@
+kind: Suite
+apiVersion: test.gatekeeper.sh/v1alpha1
+metadata:
+  name: seccomp
+tests:
+- name: default-seccomp-required
+  template: template.yaml
+  constraint: samples/psp-seccomp/constraint.yaml
+  cases:
+  - name: example-disallowed-global
+    object: samples/psp-seccomp/example_disallowed2.yaml
+    assertions:
+    - violations: 1
+      message: "Seccomp profile 'unconfined' is not allowed for container 'nginx'. Found at: annotation seccomp.security.alpha.kubernetes.io/pod"
+  - name: example-disallowed-container
+    object: samples/psp-seccomp/example_disallowed.yaml
+    assertions:
+    - violations: 1
+      message: "Seccomp profile 'unconfined' is not allowed for container 'nginx'. Found at: annotation container.seccomp.security.alpha.kubernetes.io/nginx"
+  - name: example-allowed-container
+    object: samples/psp-seccomp/example_allowed.yaml
+    assertions:
+    - violations: no
+  - name: example-allowed-global
+    object: samples/psp-seccomp/example_allowed2.yaml
+    assertions:
+    - violations: no
+  - name: disallowed-ephemeral
+    object: samples/psp-seccomp/disallowed_ephemeral.yaml
+    assertions:
+    - violations: 1
+      message: "Seccomp profile 'unconfined' is not allowed for container 'nginx'. Found at: annotation container.seccomp.security.alpha.kubernetes.io/nginx"
+  - name: example-allowed-container-exempt-image
+    object: samples/psp-seccomp/example_allowed_exempt_image.yaml
+    assertions:
+    - violations: no
+  - name: example-allowed-container-localhost-profile
+    object: samples/psp-seccomp/example_allowed_localhost.yaml
+    assertions:
+    - violations: no
+  - name: example-disallowed-container-localhost-profile
+    object: samples/psp-seccomp/example_disallowed_localhost.yaml
+    assertions:
+    - violations: 1
+      message: "Seccomp profile 'localhost/profile.log' is not allowed for container 'nginx'. Found at: container securityContext."