metio
diff --git a/‎components/policies/pod-security-standards/restricted/require-seccomp-profile-type/README.md‎
Lines changed: 14 additions & 0 deletions b/‎components/policies/pod-security-standards/restricted/require-seccomp-profile-type/README.md‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎components/policies/pod-security-standards/restricted/require-seccomp-profile-type/binding.yaml‎
Lines changed: 12 additions & 0 deletions b/‎components/policies/pod-security-standards/restricted/require-seccomp-profile-type/binding.yaml‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎components/policies/pod-security-standards/restricted/require-seccomp-profile-type/kustomization.yaml‎
Lines changed: 7 additions & 0 deletions b/‎components/policies/pod-security-standards/restricted/require-seccomp-profile-type/kustomization.yaml‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎components/policies/pod-security-standards/restricted/require-seccomp-profile-type/policy.yaml‎
Lines changed: 65 additions & 0 deletions b/‎components/policies/pod-security-standards/restricted/require-seccomp-profile-type/policy.yaml‎
Lines changed: 65 additions & 0 deletions
diff --git a/‎components/policies/pod-security-standards/restricted/require-seccomp-profile-type/test/cronjob-bad.yaml‎
Lines changed: 152 additions & 0 deletions b/‎components/policies/pod-security-standards/restricted/require-seccomp-profile-type/test/cronjob-bad.yaml‎
Lines changed: 152 additions & 0 deletions
@@ -0,0 +1,14 @@
+<!--
+SPDX-FileCopyrightText: The vap-collection Authors
+SPDX-License-Identifier: Apache-2.0
+ -->
+
+# require-seccomp-profile-type
+
+Verifies that pods specify their seccomp profile type.
+
+Use the following query to list all pods in your cluster along with their current seccomp profile type usage:
+
+```shell
+kubectl get pods --all-namespaces --output yaml | yq '.items[] | select([[.spec.securityContext.seccompProfile.type], .spec.containers[].securityContext.seccompProfile.type, .spec.initContainers[].securityContext.seccompProfile.type, .spec.ephemeralContainers[].securityContext.seccompProfile.type] | flatten | any_c(. != "RuntimeDefault" and . != "Localhost")) | .metadata.namespace + "/" + .metadata.name + ": " + ([[.spec.seccompProfile.type], .spec.containers[].securityContext.seccompProfile.type, .spec.initContainers[].securityContext.seccompProfile.type, .spec.ephemeralContainers[].securityContext.seccompProfile.type] | flatten | join(", "))'
+```
@@ -0,0 +1,12 @@
+# SPDX-FileCopyrightText: The vap-collection Authors
+# SPDX-License-Identifier: Apache-2.0
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: require-seccomp-profile-type
+  labels:
+    app.kubernetes.io/name: require-seccomp-profile-type
+    app.kubernetes.io/component: pod-security-standards-baseline
+spec:
+  policyName: require-seccomp-profile-type
+  validationActions: [Deny]
@@ -0,0 +1,7 @@
+# SPDX-FileCopyrightText: The vap-collection Authors
+# SPDX-License-Identifier: Apache-2.0
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+resources:
+  - binding.yaml
+  - policy.yaml
@@ -0,0 +1,65 @@
+# SPDX-FileCopyrightText: The vap-collection Authors
+# SPDX-License-Identifier: Apache-2.0
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: require-seccomp-profile-type
+  labels:
+    app.kubernetes.io/name: require-seccomp-profile-type
+    app.kubernetes.io/component: pod-security-standards-baseline
+spec:
+  failurePolicy: Fail
+  matchConstraints:
+    resourceRules:
+      - apiGroups:    [""]
+        apiVersions:  ["v1"]
+        operations:   ["CREATE", "UPDATE"]
+        resources:    ["pods"]
+        scope:        "Namespaced"
+      - apiGroups:    ["apps"]
+        apiVersions:  ["v1"]
+        operations:   ["CREATE", "UPDATE"]
+        resources:    ["daemonsets", "deployments", "statefulsets"]
+        scope:        "Namespaced"
+      - apiGroups:    ["batch"]
+        apiVersions:  ["v1"]
+        operations:   ["CREATE", "UPDATE"]
+        resources:    ["cronjobs", "jobs"]
+        scope:        "Namespaced"
+  variables:
+    - expression: "['RuntimeDefault', 'Localhost']"
+      name: allowedProfileTypes
+    - expression: object.spec.?template.?spec.?securityContext.?seccompProfile.?type
+      name: controllerSeccompProfileType
+    - expression: object.spec.?jobTemplate.?spec.?template.?spec.?securityContext.?seccompProfile.?type
+      name: cronJobSeccompProfileType
+    - expression: object.spec.?securityContext.?seccompProfile.?type
+      name: podSeccompProfileType
+    - expression: variables.controllerSeccompProfileType.or(variables.cronJobSeccompProfileType).or(variables.podSeccompProfileType)
+      name: allSeccompProfileType
+    - expression:
+        object.spec.?template.?spec.?containers.orValue([]) +
+        object.spec.?template.?spec.?initContainers.orValue([]) +
+        object.spec.?template.?spec.?ephemeralContainers.orValue([])
+      name: controllerContainer
+    - expression:
+        object.spec.?jobTemplate.?spec.?template.?spec.?containers.orValue([]) +
+        object.spec.?jobTemplate.?spec.?template.?spec.?initContainers.orValue([]) +
+        object.spec.?jobTemplate.?spec.?template.?spec.?ephemeralContainers.orValue([])
+      name: cronJobContainers
+    - expression:
+        object.spec.?containers.orValue([]) +
+        object.spec.?initContainers.orValue([]) +
+        object.spec.?ephemeralContainers.orValue([])
+      name: podContainers
+    - expression: variables.controllerContainer + variables.cronJobContainers + variables.podContainers
+      name: allContainers
+  validations:
+    - expression:
+        variables.allContainers.all(container,
+          container.?securityContext.?seccompProfile.?type.or(variables.allSeccompProfileType).orValue('Unconfined') in variables.allowedProfileTypes)
+      messageExpression: "'Any seccomp profile beyond the allowed list (' + variables.allowedProfileTypes.join(', ') + ') are forbidden.'"
+      reason: Invalid
+  auditAnnotations:
+    - key: name
+      valueExpression: string(object.metadata.name)
@@ -0,0 +1,152 @@
+# SPDX-FileCopyrightText: The vap-collection Authors
+# SPDX-License-Identifier: Apache-2.0
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: badcronjob01
+spec:
+  schedule: "*/1 * * * *"
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          restartPolicy: OnFailure
+          containers:
+            - name: container01
+              image: dummyimagename
+          securityContext:
+            seccompProfile:
+              type: Unconfined
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: badcronjob02
+spec:
+  schedule: "*/1 * * * *"
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          restartPolicy: OnFailure
+          containers:
+            - name: container01
+              image: dummyimagename
+              securityContext:
+                seccompProfile:
+                  type: Unconfined
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: badcronjob03
+spec:
+  schedule: "*/1 * * * *"
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          restartPolicy: OnFailure
+          containers:
+            - name: container01
+              image: dummyimagename
+            - name: container02
+              image: dummyimagename
+              securityContext:
+                seccompProfile:
+                  type: Unconfined
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: badcronjob04
+spec:
+  schedule: "*/1 * * * *"
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          restartPolicy: OnFailure
+          containers:
+            - name: container01
+              image: dummyimagename
+              securityContext:
+                seccompProfile:
+                  type: RuntimeDefault
+            - name: container02
+              image: dummyimagename
+              securityContext:
+                seccompProfile:
+                  type: Unconfined
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: badcronjob05
+spec:
+  schedule: "*/1 * * * *"
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          restartPolicy: OnFailure
+          initContainers:
+            - name: initcontainer01
+              image: dummyimagename
+              securityContext:
+                seccompProfile:
+                  type: Unconfined
+          containers:
+            - name: container01
+              image: dummyimagename
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: badcronjob06
+spec:
+  schedule: "*/1 * * * *"
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          restartPolicy: OnFailure
+          initContainers:
+            - name: initcontainer01
+              image: dummyimagename
+            - name: initcontainer02
+              image: dummyimagename
+              securityContext:
+                seccompProfile:
+                  type: Unconfined
+          containers:
+            - name: container01
+              image: dummyimagename
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: badcronjob07
+spec:
+  schedule: "*/1 * * * *"
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          restartPolicy: OnFailure
+          initContainers:
+            - name: initcontainer01
+              image: dummyimagename
+              securityContext:
+                seccompProfile:
+                  type: RuntimeDefault
+            - name: initcontainer02
+              image: dummyimagename
+              securityContext:
+                seccompProfile:
+                  type: Unconfined
+          containers:
+            - name: container01
+              image: dummyimagename
+---