AzPolicyAdvertizer

last sync: 2025-May-30 17:23:33 UTC

Kubernetes cluster containers should only use allowed seccomp profiles

Azure BuiltIn Policy definition

Source Azure Portal
Display name Kubernetes cluster containers should only use allowed seccomp profiles
Id 975ce327-682c-4f2e-aa46-b9598289b86c
Version 7.2.0
Details on versioning
Versioning Versions supported for Versioning: 2
7.2.0
7.1.1
Built-in Versioning [Preview]
Category Kubernetes
Microsoft Learn
Description Pod containers can only use allowed seccomp profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.
Cloud environments AzureCloud = true
AzureUSGovernment = true
AzureChinaCloud = unknown
Available in AzUSGov The Policy is available in AzureUSGovernment cloud. Version: '8.1.1'
Repository: Azure-Policy 975ce327-682c-4f2e-aa46-b9598289b86c
Mode Microsoft.Kubernetes.Data
Type BuiltIn
Preview False
Deprecated False
Effect Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (2)
Compliance Not a Compliance control
Initiatives usage
Rows: 1-1 / 1
Records:
Use the filters above each column to filter and limit table data. Advanced searches can be performed by using the following operators:
<, <=, >, >=, =, *, !, {, }, ||,&&, [empty], [nonempty], rgx:
Learn more

TableFilter v0.7.3

https://www.tablefilter.com/
©2015-2025 Max Guglielmi
?
Page of 1
Initiative DisplayName Initiative Id Initiative Category State Type polSet in AzUSGov
Kubernetes cluster pod security restricted standards for Linux-based workloads 42b8ef37-b724-4e24-bbc8-7a7708edfe00 Kubernetes GA BuiltIn true
History
Date/Time (UTC ymd) (i) Change type Change detail
2024-08-09 18:17:47 change Minor (7.1.1 > 7.2.0)
2023-06-26 17:52:13 change Patch (7.1.0 > 7.1.1)
2023-05-01 17:41:52 change Minor (7.0.1 > 7.1.0)
2022-10-21 16:42:13 change Patch (7.0.0 > 7.0.1)
2022-09-19 17:41:40 change Major (5.0.1 > 7.0.0)
2022-06-17 16:31:08 change Patch (5.0.0 > 5.0.1)
2022-05-27 20:20:35 change Major (4.2.0 > 5.0.0)
2022-04-29 18:06:01 change Minor (4.1.0 > 4.2.0)
2022-04-01 20:29:14 change Minor (4.0.2 > 4.1.0)
2021-12-06 22:17:57 change Patch (4.0.1 > 4.0.2)
2021-09-08 15:39:57 change Patch (4.0.0 > 4.0.1)
2021-08-30 14:27:30 change Major (3.0.0 > 4.0.0)
2021-03-02 15:11:40 change Major (2.0.1 > 3.0.0)
2020-12-11 15:42:52 change Major (1.0.1 > 2.0.1)
2020-09-15 14:06:41 change Previous DisplayName: [Preview]: Kubernetes cluster containers should only use allowed seccomp profiles
2020-07-08 14:28:08 add 975ce327-682c-4f2e-aa46-b9598289b86c
JSON compare
compare mode: version left: version right:
7.1.1 → 7.2.0 RENAMED
@@ -1,14 +1,35 @@
1
  {
2
  "displayName": "Kubernetes cluster containers should only use allowed seccomp profiles",
3
  "policyType": "BuiltIn",
4
  "mode": "Microsoft.Kubernetes.Data",
5
- "description": "Pod containers can only use allowed seccomp profiles in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.",
6
  "metadata": {
7
- "version": "7.1.1",
8
  "category": "Kubernetes"
9
  },
10
  "parameters": {
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
11
  "effect": {
12
  "type": "String",
13
  "metadata": {
14
  "displayName": "Effect",
@@ -51,9 +72,60 @@
51
  "metadata": {
52
  "displayName": "Kubernetes label selector",
53
  "description": "Label query to select Kubernetes resources for policy evaluation. An empty label selector matches all Kubernetes resources."
54
  },
55
- "defaultValue": {}
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
56
  },
57
  "allowedProfiles": {
58
  "type": "Array",
59
  "metadata": {
@@ -91,8 +163,10 @@
91
  },
92
  "then": {
93
  "effect": "[parameters('effect')]",
94
  "details": {
 
 
95
  "templateInfo": {
96
  "sourceType": "PublicURL",
97
  "url": "https://store.policy.core.windows.net/kubernetes/allowed-seccomp-profiles/v3/template.yaml"
98
  },
 
1
  {
2
  "displayName": "Kubernetes cluster containers should only use allowed seccomp profiles",
3
  "policyType": "BuiltIn",
4
  "mode": "Microsoft.Kubernetes.Data",
5
+ "description": "Pod containers can only use allowed seccomp profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.",
6
  "metadata": {
7
+ "version": "7.2.0",
8
  "category": "Kubernetes"
9
  },
10
  "parameters": {
11
+ "source": {
12
+ "type": "String",
13
+ "metadata": {
14
+ "displayName": "Source",
15
+ "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones."
16
+ },
17
+ "allowedValues": [
18
+ "All",
19
+ "Generated",
20
+ "Original"
21
+ ],
22
+ "defaultValue": "Original"
23
+ },
24
+ "warn": {
25
+ "type": "Boolean",
26
+ "metadata": {
27
+ "displayName": "Warn",
28
+ "description": "Whether or not to return warnings back to the user in the kubectl cli"
29
+ },
30
+ "defaultValue": false
31
+ },
32
  "effect": {
33
  "type": "String",
34
  "metadata": {
35
  "displayName": "Effect",
 
72
  "metadata": {
73
  "displayName": "Kubernetes label selector",
74
  "description": "Label query to select Kubernetes resources for policy evaluation. An empty label selector matches all Kubernetes resources."
75
  },
76
+ "defaultValue": {},
77
+ "schema": {
78
+ "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all resources.",
79
+ "type": "object",
80
+ "properties": {
81
+ "matchLabels": {
82
+ "description": "matchLabels is a map of {key,value} pairs.",
83
+ "type": "object",
84
+ "additionalProperties": {
85
+ "type": "string"
86
+ },
87
+ "minProperties": 1
88
+ },
89
+ "matchExpressions": {
90
+ "description": "matchExpressions is a list of values, a key, and an operator.",
91
+ "type": "array",
92
+ "items": {
93
+ "type": "object",
94
+ "properties": {
95
+ "key": {
96
+ "description": "key is the label key that the selector applies to.",
97
+ "type": "string"
98
+ },
99
+ "operator": {
100
+ "description": "operator represents a key's relationship to a set of values.",
101
+ "type": "string",
102
+ "enum": [
103
+ "In",
104
+ "NotIn",
105
+ "Exists",
106
+ "DoesNotExist"
107
+ ]
108
+ },
109
+ "values": {
110
+ "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.",
111
+ "type": "array",
112
+ "items": {
113
+ "type": "string"
114
+ }
115
+ }
116
+ },
117
+ "required": [
118
+ "key",
119
+ "operator"
120
+ ],
121
+ "additionalProperties": false
122
+ },
123
+ "minItems": 1
124
+ }
125
+ },
126
+ "additionalProperties": false
127
+ }
128
  },
129
  "allowedProfiles": {
130
  "type": "Array",
131
  "metadata": {
 
163
  },
164
  "then": {
165
  "effect": "[parameters('effect')]",
166
  "details": {
167
+ "source": "[parameters('source')]",
168
+ "warn": "[parameters('warn')]",
169
  "templateInfo": {
170
  "sourceType": "PublicURL",
171
  "url": "https://store.policy.core.windows.net/kubernetes/allowed-seccomp-profiles/v3/template.yaml"
172
  },
JSON
api-version=2021-06-01
EPAC 
{7 items
  • displayName: "Kubernetes cluster containers should only use allowed seccomp profiles",
  • policyType: "BuiltIn",
  • mode: "Microsoft.Kubernetes.Data",
  • description: "Pod containers can only use allowed seccomp profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.",
  • metadata: {2 items
    • version: "7.2.0",
    • category: "Kubernetes"
    },
  • parameters: {9 items
    • source: {4 items
      • type: "String",
      • metadata: {2 items
        • displayName: "Source",
        • description: "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones."
        },
      • allowedValues: [3 items
        • "All",
        • "Generated",
        • "Original"
        ],
      • defaultValue: "Original"
      },
    • warn: {3 items
      • type: "Boolean",
      • metadata: {2 items
        • displayName: "Warn",
        • description: "Whether or not to return warnings back to the user in the kubectl cli"
        },
      • defaultValue: false
      },
    • effect: {4 items
      • type: "String",
      • metadata: {3 items
        • displayName: "Effect",
        • description: "'Audit' allows a non-compliant resource to be created or updated, but flags it as non-compliant. 'Deny' blocks the non-compliant resource creation or update. 'Disabled' turns off the policy.",
        • portalReview: true
        },
      • allowedValues: [6 items
        • "audit",
        • "Audit",
        • "deny",
        • "Deny",
        • "disabled",
        • "Disabled"
        ],
      • defaultValue: "Audit"
      },
    • excludedNamespaces: {3 items
      • type: "Array",
      • metadata: {2 items
        • displayName: "Namespace exclusions",
        • description: "List of Kubernetes namespaces to exclude from policy evaluation. System namespaces "kube-system", "gatekeeper-system" and "azure-arc" are always excluded by design. "azure-extensions-usage-system" is optional to remove."
        },
      • defaultValue: [4 items
        • "kube-system",
        • "gatekeeper-system",
        • "azure-arc",
        • "azure-extensions-usage-system"
        ]
      },
    • namespaces: {3 items
      • type: "Array",
      • metadata: {2 items
        • displayName: "Namespace inclusions",
        • description: "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces."
        },
      • defaultValue: []
      },
    • labelSelector: {4 items
      • type: "Object",
      • metadata: {2 items
        • displayName: "Kubernetes label selector",
        • description: "Label query to select Kubernetes resources for policy evaluation. An empty label selector matches all Kubernetes resources."
        },
      • defaultValue: {},
      • schema: {4 items
        • description: "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all resources.",
        • type: "object",
        • properties: {2 items},
        • additionalProperties: false
        }
      },
    • allowedProfiles: {3 items
      • type: "Array",
      • metadata: {3 items
        • displayName: "Allowed seccomp profiles",
        • description: "The list of seccomp profiles that containers are allowed to use. E.g. '`runtime/default`, `docker/default`, `unconfined` and/or `localhost/*`'. Provide empty list as input to block everything. Putting a `*` in this array allows all Profiles to be used.",
        • portalReview: true
        },
      • defaultValue: []
      },
    • excludedContainers: {3 items
      • type: "Array",
      • metadata: {2 items
        • displayName: "Containers exclusions",
        • description: "The list of InitContainers and Containers to exclude from policy evaluation. The identify is the name of container. Use an empty list to apply this policy to all containers in all namespaces."
        },
      • defaultValue: []
      },
    • excludedImages: {3 items
      • type: "Array",
      • metadata: {3 items
        • displayName: "Image exclusions",
        • description: "The list of InitContainers and Containers to exclude from policy evaluation. The identifier is the image of container. Prefix-matching can be signified with `*`. For example: `myregistry.azurecr.io/istio:*`. It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name) in order to avoid unexpectedly exempting images from an untrusted repository.",
        • portalReview: true
        },
      • defaultValue: []
      }
    },
  • policyRule: {2 items
    • if: {2 items
      • field: "type",
      • in: [2 items
        • "Microsoft.Kubernetes/connectedClusters",
        • "Microsoft.ContainerService/managedClusters"
        ]
      },
    • then: {2 items
      • effect: "[parameters('effect')]",
      • details: {9 items
        • source: "[parameters('source')]",
        • warn: "[parameters('warn')]",
        • templateInfo: {2 items
          • sourceType: "PublicURL",
          • url: "https://store.policy.core.windows.net/kubernetes/allowed-seccomp-profiles/v3/template.yaml"
          },
        • apiGroups: [1 item
          • ""
          ],
        • kinds: [1 item
          • "Pod"
          ],
        • excludedNamespaces: "[parameters('excludedNamespaces')]",
        • namespaces: "[parameters('namespaces')]",
        • labelSelector: "[parameters('labelSelector')]",
        • values: {3 items
          • allowedProfiles: "[parameters('allowedProfiles')]",
          • excludedContainers: "[parameters('excludedContainers')]",
          • excludedImages: "[parameters('excludedImages')]"
          }
        }
      }
    }
}