Skip to content
This repository has been archived by the owner on Jun 6, 2024. It is now read-only.

Commit

Permalink
fix: fix seccomp rule logic (#951)
Browse files Browse the repository at this point in the history
  • Loading branch information
hadar-co authored Jul 2, 2023
1 parent 5799e9e commit 00d82f2
Showing 1 changed file with 65 additions and 41 deletions.
106 changes: 65 additions & 41 deletions pkg/defaultRules/defaultRules.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3352,57 +3352,81 @@ rules:
impact: Using the default seccomp profile may allow risky privileges for workloads
schema:
definitions:
podAnnotationsPattern:
annotationsPattern:
properties:
metadata:
properties:
annotations:
properties:
seccomp.security.alpha.kubernetes.io/pod:
enum:
- docker/default
- runtime/default
required:
- seccomp.security.alpha.kubernetes.io/pod
required:
- annotations
required:
- metadata
seccompProfilePattern:
if:
properties:
kind:
enum:
- Pod
required:
- kind
then:
required:
- spec
properties:
metadata:
spec:
required:
- securityContext
properties:
annotations:
properties:
seccomp.security.alpha.kubernetes.io/pod:
enum:
- docker/default
- runtime/default
securityContext:
required:
- seccomp.security.alpha.kubernetes.io/pod
required:
- annotations
- seccompProfile
properties:
seccompProfile:
required:
- type
properties:
type:
enum:
- RuntimeDefault
- DockerDefault
else:
required:
- metadata
templateAnnotationsPattern:
properties:
spec:
properties:
template:
properties:
metadata:
properties:
annotations:
properties:
seccomp.security.alpha.kubernetes.io/pod:
enum:
- docker/default
- runtime/default
required:
- seccomp.security.alpha.kubernetes.io/pod
required:
- annotations
required:
- metadata
allOf:
- $ref: "#/definitions/podAnnotationsPattern"
- $ref: "#/definitions/templateAnnotationsPattern"
additionalProperties:
$ref: "#"
items:
$ref: "#"
- spec
properties:
spec:
required:
- template
properties:
template:
required:
- spec
properties:
spec:
required:
- securityContext
properties:
securityContext:
required:
- seccompProfile
properties:
seccompProfile:
required:
- type
properties:
type:
enum:
- RuntimeDefault
- DockerDefault
if: *standardKinds
then:
anyOf:
- $ref: "#/definitions/annotationsPattern"
- $ref: "#/definitions/seccompProfilePattern"
- id: 100
name: Ensure containers and pods have a configured security context
uniqueName: CIS_MISSING_KEY_SECURITYCONTEXT
Expand Down

0 comments on commit 00d82f2

Please sign in to comment.