# Policy examples for "Restricted" PSS # Suggestion 1. Be able to exclude multiple Controls We can exclude only one control inside a Policy. Change `Control` to `Controls` so that we can specify a list of controls. 2. Exclude multiple RestrictedFields Same but for `RestrictedFields`. # Interesting links - 10 kubernetes security context settings you should understand: https://snyk.io/blog/10-kubernetes-security-context-settings-you-should-understand/ # Restricted Everything from the `Baseline` profile + the following controls. ## Volume Types The restricted policy only permits the following volume types. ### Restricted Fields | Restricted fields | | -------- | | spec.volumes[*] | Every item in the `spec.volumes[*]` list must set one of the following fields to a non-null value: ### Allowed values | Allowed values | Value type | | -------- | -------- | | spec.volumes[*].configMap | Object | | spec.volumes[*].csi | Object | | spec.volumes[*].downwardAPI | Object | | spec.volumes[*].emptyDir | Object | | spec.volumes[*].ephemeral | Object | | spec.volumes[*].persistentVolumeClaim| Object | | spec.volumes[*].projected | Object | | spec.volumes[*].secret | Object | ### Possible exclude values Get all volumes types: https://kubernetes.io/docs/concepts/storage/volumes/ | Possible exclude values | Value type | | -------- | -------- | | cephfs | String | | glusterfs | String | | hostPath | String | | local | String | | nfs | String | | portworxVolume| String | Example: The following rule applies Restricted PSS to namespace "test" and "staging" while excluding pods running image "ghcr.io/example/nginx:1.2.3" to be able to use `cephfs` volume type. ```yaml validationFailureAction: enforce rules: - name: enforce-restricted-exclude-volumes-types match: any: - resources: kinds: - Pod namespaces: - test - staging exclude: any: - userInfo: username: dummyuser validate: # this new type of rule only deals with PSS profiles # as we need to check if the value in the resource # is actually allowed by PSS podSecurity: profile: restricted # version must be a valid Kubernetes minor version, # or `latest`. version: v1.24 exclude: # controlName is the Control defined in PSS # +required - controlName: VolumeTypes images: - ghcr.io/example/nginx:1.2.3 restrictedField: spec.volumes[*] values: - "cephfs" ``` ## Privilege Escalation (v1.8+) Privilege escalation (such as via set-user-ID or set-group-ID file mode) should not be allowed. ### Restricted fields | Restricted fields | | -------- | | spec.containers[*].securityContext.allowPrivilegeEscalation | | spec.initContainers[*].securityContext.allowPrivilegeEscalation | | spec.ephemeralContainers[*].securityContext.allowPrivilegeEscalation | ### Allowed values | Allowed values | Value type | | -------- | -------- | | false | Boolean | ### Possible exclude values | Possible exclude values | Value type | | -------- | -------- | | true | Boolean | Example: The following rule applies Restricted PSS to namespace "test" and "staging" while excluding pods running image "ghcr.io/example/nginx:1.2.3" with `allowPrivilegeEscalation` set to `true`. ```yaml validationFailureAction: enforce rules: - name: enforce-restricted-exclude-privilege-escalation match: any: - resources: kinds: - Pod namespaces: - test - staging exclude: any: - userInfo: username: dummyuser validate: # this new type of rule only deals with PSS profiles # as we need to check if the value in the resource # is actually allowed by PSS podSecurity: profile: restricted # version must be a valid Kubernetes minor version, # or `latest`. version: v1.24 exclude: # controlName is the Control defined in PSS # +required - controlName: PrivilegeEscalation images: - ghcr.io/example/nginx:1.2.3 restrictedField: spec.containers[*].securityContext.allowPrivilegeEscalation values: - true ``` ## Running as Non-root Containers must be required to run as non-root users. ### Restricted fields | Restricted fields | | -------- | | spec.securityContext.runAsNonRoot | | spec.containers[*].securityContext.runAsNonRoot | | spec.initContainers[*].securityContext.runAsNonRoot | | spec.ephemeralContainers[*].securityContext.runAsNonRoot | ### Allowed values | Allowed values | Value type | | -------- | -------- | | true | Boolean | ### Possible exclude values | Possible exclude values | Value type | | -------- | -------- | | false | Boolean | Example: The following rule applies Restricted PSS to namespace "test" and "staging" while excluding pods running image "ghcr.io/example/nginx:1.2.3" with `spec.securityContext.runAsNonRoot` set to `false`. ```yaml validationFailureAction: enforce rules: - name: enforce-restricted-exclude-running-as-non-root match: any: - resources: kinds: - Pod namespaces: - test - staging exclude: any: - userInfo: username: dummyuser validate: # this new type of rule only deals with PSS profiles # as we need to check if the value in the resource # is actually allowed by PSS podSecurity: profile: restricted # version must be a valid Kubernetes minor version, # or `latest`. version: v1.24 exclude: # controlName is the Control defined in PSS # +required - controlName: RunningAsNonRoot images: - ghcr.io/example/nginx:1.2.3 restrictedField: spec.securityContext.runAsNonRoot values: - false ``` ## Running as Non-root user (v1.23+) Containers must not set runAsUser to 0 ### Restricted fields | Restricted fields | | -------- | | spec.securityContext.runAsUser | | spec.containers[*].securityContext.runAsUser | | spec.initContainers[*].securityContext.runAsUser | | spec.ephemeralContainers[*].securityContext.runAsUser | ### Allowed values | Allowed values | Value type | | -------- | -------- | | any non-zero value | Int64 | | undefined/null | *Int64 | ### Possible exclude values | Possible exclude values | Value type | | -------- | -------- | | 0 | Integer64 | Example: The following rule applies Restricted PSS to namespace "test" and "staging" while excluding pods running image "ghcr.io/example/nginx:1.2.3" with `spec.securityContext.runAsUser` set to `0` (root). ```yaml validationFailureAction: enforce rules: - name: enforce-restricted-exclude-running-as-non-root-user match: any: - resources: kinds: - Pod namespaces: - test - staging exclude: any: - userInfo: username: dummyuser validate: # this new type of rule only deals with PSS profiles # as we need to check if the value in the resource # is actually allowed by PSS podSecurity: profile: restricted # version must be a valid Kubernetes minor version, # or `latest`. version: v1.24 exclude: # controlName is the Control defined in PSS # +required - controlName: RunningAsNonRootUser images: - ghcr.io/example/nginx:1.2.3 restrictedField: spec.securityContext.runAsUser values: - 0 # root ``` ## Seccomp (v1.19+) Seccomp profile must be explicitly set to one of the allowed values. Both the Unconfined profile and the absence of a profile are prohibited. ### Restricted fields | Restricted fields | | -------- | | spec.securityContext.seccompProfile.type | | spec.containers[*].securityContext.seccompProfile.type | | spec.initContainers[*].securityContext.seccompProfile.type | | spec.ephemeralContainers[*].securityContext.seccompProfile.type | ### Allowed values Get all Seccomp types: https://github.com/kubernetes/enhancements/blob/master/keps/sig-node/135-seccomp/README.md | Allowed values | Value type | | -------- | -------- | | RuntimeDefault | String | | Localhost | String | ### Possible exclude values | Possible exclude values | Value type | | ----------------------- | ---------- | | Unconfined | String | | Undefined / nil | (no set) String | Example: The following rule applies Restricted PSS to namespace "test" and "staging" while excluding pods running image "ghcr.io/example/nginx:1.2.3" with `spec.securityContext.seccompProfile.type` set to `Unconfined`. ```yaml validationFailureAction: enforce rules: - name: enforce-restricted-exclude-seccomp match: any: - resources: kinds: - Pod namespaces: - test - staging exclude: any: - userInfo: username: dummyuser validate: # this new type of rule only deals with PSS profiles # as we need to check if the value in the resource # is actually allowed by PSS podSecurity: profile: restricted # version must be a valid Kubernetes minor version, # or `latest`. version: v1.24 exclude: # controlName is the Control defined in PSS # +required - controlName: Seccomp images: - ghcr.io/example/nginx:1.2.3 restrictedField: spec.securityContext.seccompProfile.type values: - "Unconfined" ``` ## Capabilities Containers must drop `ALL` capabilities, and are only permitted to add back the `NET_BIND_SERVICE` capability. ### Drop #### Restricted fields | Restricted fields | | -------- | | spec.containers[*].securityContext.capabilities.drop | | spec.initContainers[*].securityContext.capabilities.drop | | spec.ephemeralContainers[*].securityContext.capabilities.drop | #### Allowed values Any list of capabilities that includes `ALL` | Allowed values | Value type | | -------- | -------- | | ALL | String | #### Possible exclude values Get all security context capabilities: https://unofficial-kubernetes.readthedocs.io/en/latest/concepts/policy/container-capabilities/ | Allowed values | Value type | | -------- | -------- | | SETPCAP | String | |SETPCAP | String | |SYS_MODULE | String | |SYS_RAWIO | String | |SYS_PACCT | String | |SYS_ADMIN | String | |SYS_NICE | String | |SYS_RESOURCE | String | |SYS_TIME | String | |SYS_TTY_CONFIG | String | |MKNOD | String | |AUDIT_WRITE | String | |AUDIT_CONTROL | String | |MAC_OVERRIDE | String | |MAC_ADMIN | String | |NET_ADMIN | String | |SYSLOG | String | |CHOWN | String | |NET_RAW | String | |DAC_OVERRIDE | String | |FOWNER | String | |DAC_READ_SEARCH | String | |FSETID | String | |KILL | String | |SETGID | String | |SETUID | String | |LINUX_IMMUTABLE | String | |NET_BIND_SERVICE | String | |NET_BROADCAST | String | |IPC_LOCK | String | |IPC_OWNER | String | |SYS_CHROOT | String | |SYS_PTRACE | String | |SYS_BOOT | String | |LEASE | String | |SETFCAP | String | |WAKE_ALARM | String | |BLOCK_SUSPEND | String | Example: The following rule applies Restricted PSS to namespace "test" and "staging" while excluding pods running image "ghcr.io/example/nginx:1.2.3" to be able to drop only `KILL`, `SETGID` and `SETUID` capabilities. ```yaml validationFailureAction: enforce rules: - name: enforce-restricted-exclude-capabilities match: any: - resources: kinds: - Pod namespaces: - test - staging exclude: any: - userInfo: username: dummyuser validate: # this new type of rule only deals with PSS profiles # as we need to check if the value in the resource # is actually allowed by PSS podSecurity: profile: restricted # version must be a valid Kubernetes minor version, # or `latest`. version: v1.24 exclude: # controlName is the Control defined in PSS # +required - controlName: Capabilities images: - ghcr.io/example/nginx:1.2.3 restrictedField: spec.containers[*].securityContext.capabilities.drop values: - "KILL" - "SETGID" - "SETUID" ``` ### Add #### Restricted fields | Restricted fields | | -------- | | spec.containers[*].securityContext.capabilities.add | | spec.initContainers[*].securityContext.capabilities.add | | spec.ephemeralContainers[*].securityContext.capabilities.add | #### Allowed values | Allowed values | Value type | | -------- | -------- | | Undefined/nil | (no set) String | | NET_BIND_SERVICE | String | #### Possible exclude values Get all security context capabilities: https://unofficial-kubernetes.readthedocs.io/en/latest/concepts/policy/container-capabilities/ | Possible exclude values | Value type | | -------- | -------- | | SETPCAP | String | |SETPCAP | String | |SYS_MODULE | String | |SYS_RAWIO | String | |SYS_PACCT | String | |SYS_ADMIN | String | |SYS_NICE | String | |SYS_RESOURCE | String | |SYS_TIME | String | |SYS_TTY_CONFIG | String | |MKNOD | String | |AUDIT_WRITE | String | |AUDIT_CONTROL | String | |MAC_OVERRIDE | String | |MAC_ADMIN | String | |NET_ADMIN | String | |SYSLOG | String | |CHOWN | String | |NET_RAW | String | |DAC_OVERRIDE | String | |FOWNER | String | |DAC_READ_SEARCH | String | |FSETID | String | |KILL | String | |SETGID | String | |SETUID | String | |LINUX_IMMUTABLE | String | |NET_BROADCAST | String | |IPC_LOCK | String | |IPC_OWNER | String | |SYS_CHROOT | String | |SYS_PTRACE | String | |SYS_BOOT | String | |LEASE | String | |SETFCAP | String | |WAKE_ALARM | String | |BLOCK_SUSPEND | String | Example: The following rule applies Restricted PSS to namespace "test" and "staging" while excluding pods running image "ghcr.io/example/nginx:1.2.3" to be able to add `KILL`, `SETGID` and `SETUID` capabilities. ```yaml validationFailureAction: enforce rules: - name: enforce-restricted-exclude-capabilities match: any: - resources: kinds: - Pod namespaces: - test - staging exclude: any: - userInfo: username: dummyuser validate: # this new type of rule only deals with PSS profiles # as we need to check if the value in the resource # is actually allowed by PSS podSecurity: profile: restricted # version must be a valid Kubernetes minor version, # or `latest`. version: v1.24 exclude: # controlName is the Control defined in PSS # +required - controlName: Capabilities images: - ghcr.io/example/nginx:1.2.3 restrictedField: spec.containers[*].securityContext.capabilities.add values: - "KILL" - "SETGID" - "SETUID" ``` # Baseline ## HostProcess Windows pods offer the ability to run HostProcess containers which enables privileged access to the Windows node. Privileged access to the host is disallowed in the baseline policy. ### Restricted fields | Restricted fields | | -------- | | spec.securityContext.windowsOptions.hostProcess | | spec.containers[*].securityContext.windowsOptions.hostProcess | | spec.initContainers[*].securityContext.windowsOptions.hostProcess | | spec.ephemeralContainers[*].securityContext.windowsOptions.hostProcess | ### Allowed values | Allowed values | Value type | | -------- | -------- | | undefined / nil | *Boolean | | false | Boolean | ### Possible exclude values | Possible exclude values | Value type | | -------- | -------- | | true | Boolean | Example: ```yaml validationFailureAction: enforce rules: - name: enforce-restricted-exclude-HostProcess match: any: - resources: kinds: - Pod namespaces: - test - staging exclude: any: - userInfo: username: dummyuser validate: # this new type of rule only deals with PSS profiles # as we need to check if the value in the resource # is actually allowed by PSS podSecurity: profile: restricted # version must be a valid Kubernetes minor version, # or `latest`. version: v1.24 exclude: # controlName is the Control defined in PSS # +required - controlName: HostProcess images: - ghcr.io/example/nginx:1.2.3 restrictedField: spec.securityContext.windowsOptions.hostProcess values: - true ``` ## Host Namespaces Sharing the host namespaces must be disallowed. ### Restricted fields | Restricted fields | | -------- | | spec.hostNetwork | | spec.hostPID | | spec.hostIPC | ### Allowed values | Allowed values | Value type | | -------- | -------- | | undefined / nil | (no set) Boolean | | false | Boolean | ### Possible exclude values | Possible exclude values | Value type | | -------- | -------- | | true | Boolean | Example: ```yaml validationFailureAction: enforce rules: - name: enforce-restricted-exclude-HostNamespaces match: any: - resources: kinds: - Pod namespaces: - test - staging exclude: any: - userInfo: username: dummyuser validate: # this new type of rule only deals with PSS profiles # as we need to check if the value in the resource # is actually allowed by PSS podSecurity: profile: restricted # version must be a valid Kubernetes minor version, # or `latest`. version: v1.24 exclude: # controlName is the Control defined in PSS # +required - controlName: HostNamespaces images: - ghcr.io/example/nginx:1.2.3 restrictedField: spec.hostNetwork # Possible restrictedFields values for "HostNamespaces" control: # spec.hostNetwork # spec.hostPID # spec.hostIPC values: - true ``` ## Privileged Containers Privileged Pods disable most security mechanisms and must be disallowed. ### Restricted fields | Restricted fields | | -------- | | spec.containers[*].securityContext.privileged | | spec.initContainers[*].securityContext.privileged | | spec.ephemeralContainers[*].securityContext.privileged | ### Allowed values | Allowed values | Value type | | -------- | -------- | | undefined / nil | (no set) Boolean | | false | Boolean | ### Possible exclude values | Possible exclude values | Value type | | -------- | -------- | | true | Boolean | Example: ```yaml validationFailureAction: enforce rules: - name: enforce-restricted-exclude-PrivilegedContainers match: any: - resources: kinds: - Pod namespaces: - test - staging exclude: any: - userInfo: username: dummyuser validate: # this new type of rule only deals with PSS profiles # as we need to check if the value in the resource # is actually allowed by PSS podSecurity: profile: restricted # version must be a valid Kubernetes minor version, # or `latest`. version: v1.24 exclude: # controlName is the Control defined in PSS # +required - controlName: PrivilegedContainers images: - ghcr.io/example/nginx:1.2.3 restrictedField: spec.containers[*].securityContext.privileged values: - true ``` ## Capabilities Adding additional capabilities beyond those listed below must be disallowed. ### Restricted fields | Restricted fields | | -------- | | spec.containers[*].securityContext.capabilities.add | | spec.initContainers[*].securityContext.capabilities.add | | spec.ephemeralContainers[*].securityContext.capabilities.add | ### Allowed values | Allowed values | Value type | | -------- | -------- | | undefined / nil | (no set) []Capabilities ([]String) | | AUDIT_WRITE | Boolean | | CHOWN | Boolean | | DAC_OVERRIDE | Boolean | | FOWNER | Boolean | | FSETID | Boolean | | KILL | Boolean | | MKNOD | Boolean | | NET_BIND_SERVICE | Boolean | | SETFCAP | Boolean | | SETGID | Boolean | | SETPCAP | Boolean | | SETUID | Boolean | | SYS_CHROOT | Boolean | ### Possible exclude values Get values here: https://unofficial-kubernetes.readthedocs.io/en/latest/concepts/policy/container-capabilities/?q=hostNetwork&check_keywords=yes&area=default | Possible exclude values | Value type | | -------- | -------- | |SYS_MODULE | String | |SYS_RAWIO | String | |SYS_PACCT | String | |SYS_ADMIN | String | |SYS_NICE | String | |SYS_RESOURCE | String | |SYS_TIME | String | |SYS_TTY_CONFIG | String | |AUDIT_CONTROL | String | |MAC_OVERRIDE | String | |MAC_ADMIN | String | |NET_ADMIN | String | |SYSLOG | String | |NET_RAW | String | |DAC_READ_SEARCH | String | |LINUX_IMMUTABLE | String | |NET_BROADCAST | String | |IPC_LOCK | String | |IPC_OWNER | String | |SYS_PTRACE | String | |SYS_BOOT | String | |LEASE | String | |SETFCAP | String | |WAKE_ALARM | String | |BLOCK_SUSPEND | String | Example: ```yaml validationFailureAction: enforce rules: - name: enforce-restricted-exclude-Capabilities match: any: - resources: kinds: - Pod namespaces: - test - staging exclude: any: - userInfo: username: dummyuser validate: # this new type of rule only deals with PSS profiles # as we need to check if the value in the resource # is actually allowed by PSS podSecurity: profile: restricted # version must be a valid Kubernetes minor version, # or `latest`. version: v1.24 exclude: # controlName is the Control defined in PSS # +required - controlName: Capabilities images: - ghcr.io/example/nginx:1.2.3 restrictedField: spec.containers[*].securityContext.capabilities.add values: - "SYS_BOOT" ``` ## HostPath Volumes HostPath volumes must be forbidden. ### Restrictied fields | Restricted fields | | -------- | | spec.volumes[*].hostPath | ### Allowed values | Allowed values | Value type | | -------- | -------- | | undefined / nil | (no set) String | ### Possible exclude values | Possible exclude values | Value type | | -------- | -------- | | {hostPath} | string | Example: ```yaml validationFailureAction: enforce rules: - name: enforce-restricted-exclude-HostPathVolumes match: any: - resources: kinds: - Pod namespaces: - test - staging exclude: any: - userInfo: username: dummyuser validate: # this new type of rule only deals with PSS profiles # as we need to check if the value in the resource # is actually allowed by PSS podSecurity: profile: restricted # version must be a valid Kubernetes minor version, # or `latest`. version: v1.24 exclude: # controlName is the Control defined in PSS # +required - controlName: HostPathVolumes images: - ghcr.io/example/nginx:1.2.3 restrictedField: spec.volumes[*].hostPath values: - "undefined" ``` ## Host Ports HostPorts should be disallowed, or at minimum restricted to a known list. ### Restrictied fields | Restricted fields | | -------- | | spec.containers[*].ports[*].hostPort | | spec.initContainers[*].ports[*].hostPort | | spec.ephemeralContainers[*].ports[*].hostPort | ### Allowed values | Allowed values | Value type | | -------- | -------- | | undefined / nil | (no set) Int32 | | Known list (well-known ports ? 0 ~ 1023 https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers) | Integer ?| | 0 | Integer32 | ### Possible exclude values | Possible exclude values | Value type | | -------- | -------- | | Any port | Integer32 | Example: ```yaml validationFailureAction: enforce rules: - name: enforce-restricted-exclude-HostPorts match: any: - resources: kinds: - Pod namespaces: - test - staging exclude: any: - userInfo: username: dummyuser validate: # this new type of rule only deals with PSS profiles # as we need to check if the value in the resource # is actually allowed by PSS podSecurity: profile: restricted # version must be a valid Kubernetes minor version, # or `latest`. version: v1.24 exclude: # controlName is the Control defined in PSS # +required - controlName: HostPorts images: - ghcr.io/example/nginx:1.2.3 restrictedField: spec.containers[*].ports[*].hostPort values: - 2000 - 2001 ``` ## AppArmor On supported hosts, the runtime/default AppArmor profile is applied by default. The baseline policy should prevent overriding or disabling the default AppArmor profile, or restrict overrides to an allowed set of profiles. ### Restricted fields | Restricted fields | | -------- | | metadata.annotations["container.apparmor.security.beta.kubernetes.io/*"] | ### Allowed values | Allowed values | Value type | | -------- | -------- | | undefined / nil | (no set) String | | runtime/default | String | | localhost/* | String | ### Possible exclude values Get all values here: https://kubernetes.io/docs/tutorials/security/apparmor/ | Possible exclude values | Value type | | -------- | -------- | | unconfined | String | Example: ```yaml validationFailureAction: enforce rules: - name: enforce-restricted-exclude-AppArmor match: any: - resources: kinds: - Pod namespaces: - test - staging exclude: any: - userInfo: username: dummyuser validate: # this new type of rule only deals with PSS profiles # as we need to check if the value in the resource # is actually allowed by PSS podSecurity: profile: restricted # version must be a valid Kubernetes minor version, # or `latest`. version: v1.24 exclude: # controlName is the Control defined in PSS # +required - controlName: AppArmor images: - ghcr.io/example/nginx:1.2.3 restrictedField: metadata.annotations["container.apparmor.security.beta.kubernetes.io/*"] values: - "unconfined" ``` ## SELinux Setting the SELinux type is restricted, and setting a custom SELinux user or role option is forbidden. ### 1. Restricted fields | Restricted fields | | -------- | | spec.securityContext.seLinuxOptions.type | | spec.containers[*].securityContext.seLinuxOptions.type | | spec.initContainers[*].securityContext.seLinuxOptions.type | | spec.ephemeralContainers[*].securityContext.seLinuxOptions.type | ### 1. Allowed fields | Allowed values | Value type | | -------- | -------- | | Undefined/"" | (no set) String | | container_t | String | | container_init_t | String | | container_kvm_t | String | ### 1. Possible exclude values Any other strings ### 2. Restricted fields | Restricted fields | | -------- | | spec.securityContext.seLinuxOptions.user | | spec.initContainers[*].securityContext.seLinuxOptions.user | | spec.ephemeralContainers[*].securityContext.seLinuxOptions.user | | spec.securityContext.seLinuxOptions.role | | spec.containers[*].securityContext.seLinuxOptions.role | | spec.initContainers[*].securityContext.seLinuxOptions.role | | spec.ephemeralContainers[*].securityContext.seLinuxOptions.role | ### 2. Allowed fields | Allowed values | Value type | | -------- | -------- | | Undefined/"" | (no set) String | ### 2. Possible exclude values Any other strings Example: ```yaml validationFailureAction: enforce rules: - name: enforce-restricted-exclude-AppArmor match: any: - resources: kinds: - Pod namespaces: - test - staging exclude: any: - userInfo: username: dummyuser validate: # this new type of rule only deals with PSS profiles # as we need to check if the value in the resource # is actually allowed by PSS podSecurity: profile: restricted # version must be a valid Kubernetes minor version, # or `latest`. version: v1.24 exclude: # controlName is the Control defined in PSS # +required - controlName: AppArmor images: - ghcr.io/example/nginx:1.2.3 restrictedField: metadata.annotations["container.apparmor.security.beta.kubernetes.io/*"] values: - "runtime/default" ``` ## /proc Mount Type The default /proc masks are set up to reduce attack surface, and should be required. ### Restricted fields | Restricted fields | | -------- | | spec.containers[*].securityContext.procMount | | spec.initContainers[*].securityContext.procMount | | spec.ephemeralContainers[*].securityContext.procMount | ### Allowed fields | Allowed values | Value type | | -------- | -------- | | Undefined/nil | (no set) String | | Default | String | ### Possible exclude values | Possible exclude values | Value type | | -------- | -------- | | Unmasked | String | Example: ```yaml validationFailureAction: enforce rules: - name: enforce-restricted-exclude-ProcMountType match: any: - resources: kinds: - Pod namespaces: - test - staging exclude: any: - userInfo: username: dummyuser validate: # this new type of rule only deals with PSS profiles # as we need to check if the value in the resource # is actually allowed by PSS podSecurity: profile: restricted # version must be a valid Kubernetes minor version, # or `latest`. version: v1.24 exclude: # controlName is the Control defined in PSS # +required - controlName: ProcMountType images: - ghcr.io/example/nginx:1.2.3 restrictedField: spec.containers[*].securityContext.procMount values: - "Unmasked" ``` ## Seccomp Seccomp profile must not be explicitly set to Unconfined. ### Restricted fields | Restricted fields | | -------- | | spec.securityContext.seccompProfile.type | | spec.containers[*].securityContext.seccompProfile.type | | spec.initContainers[*].securityContext.seccompProfile.type | | spec.ephemeralContainers[*].securityContext.seccompProfile.type | ### Allowed fields | Allowed values | Value type | | -------- | -------- | | Undefined/nil | (no set) String | | RuntimeDefault | String | | Localhost | String | ### Possible exclude values | Possible exclude values | Value type | | -------- | -------- | | Unconfined | String | Example: ```yaml validationFailureAction: enforce rules: - name: enforce-restricted-exclude-Seccomp match: any: - resources: kinds: - Pod namespaces: - test - staging exclude: any: - userInfo: username: dummyuser validate: # this new type of rule only deals with PSS profiles # as we need to check if the value in the resource # is actually allowed by PSS podSecurity: profile: baseline # version must be a valid Kubernetes minor version, # or `latest`. version: v1.24 exclude: # controlName is the Control defined in PSS # +required - controlName: Seccomp images: - ghcr.io/example/nginx:1.2.3 restrictedField: spec.securityContext.seccompProfile.type values: - "Unconfined" ``` ## Sysctls Sysctls can disable security mechanisms or affect all containers on a host, and should be disallowed except for an allowed "safe" subset. A sysctl is considered safe if it is namespaced in the container or the Pod, and it is isolated from other Pods or processes on the same Node. ### Restricted fields | Restricted fields | | -------- | | spec.securityContext.sysctls[*].name | ### Allowed fields | Allowed values | Value type | | -------- | -------- | | Undefined/nil | (no set) String | | kernel.shm_rmid_forced | String | | net.ipv4.ip_local_port_range | String | | net.ipv4.ip_unprivileged_port_start | String | | net.ipv4.tcp_syncookies | String | | net.ipv4.ping_group_range | String | ### Possible exclude values Get all values with `sysctl -a` Example: ```yaml validationFailureAction: enforce rules: - name: enforce-restricted-exclude-Sysctl match: any: - resources: kinds: - Pod namespaces: - test - staging exclude: any: - userInfo: username: dummyuser validate: # this new type of rule only deals with PSS profiles # as we need to check if the value in the resource # is actually allowed by PSS podSecurity: profile: baseline # version must be a valid Kubernetes minor version, # or `latest`. version: v1.24 exclude: # controlName is the Control defined in PSS # +required - controlName: Sysctl images: - ghcr.io/example/nginx:1.2.3 restrictedField: spec.securityContext.sysctls[*].name values: - "kern.singleuser" ```