From d765cc639159615eb599f9746c276d85bea165bc Mon Sep 17 00:00:00 2001
From: Strigix <64960813+Strigix@users.noreply.github.com>
Date: Tue, 17 Jan 2023 15:51:04 +0100
Subject: [PATCH] Update psp-policies.yaml (#682)

* Update psp-policies.yaml

allow all seccomp profiles in restricted and set runtime/default as default profile for components using the restricted PSPs.

* Update CHANGELOG.md
---
 CHANGELOG.md                                   | 4 ++++
 templates/files/k8s-resource/psp-policies.yaml | 3 +++
 2 files changed, 7 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index b52ee5e3..0ff20cfe 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+
 ### Changed
 
 - Change api server resources calculation to leave more room for pods on master nodes.
@@ -20,11 +21,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - [Azure] Bump azure-cloud-node-manager-app to `v1.24.6-gs1`.
 - [Azure] Bump azuredisk-csi-driver-app to `v1.25.2-gs1`.
 - [AWS] Bump aws-ebs-csi-driver app to `v2.19.1`.
+- Allowed the use of all seccomp profiles for components under the restricted podsecurity policy.
+- Set the default seccomp profile to runtime/default under the restricted podsecurity policy.
 
 ### Added
 
 - Add registry mirror setting to docker daemon.
 
+
 ## [14.8.0] - 2022-12-13
 
 ### Added
diff --git a/templates/files/k8s-resource/psp-policies.yaml b/templates/files/k8s-resource/psp-policies.yaml
index ac96753e..b5d04c68 100644
--- a/templates/files/k8s-resource/psp-policies.yaml
+++ b/templates/files/k8s-resource/psp-policies.yaml
@@ -30,6 +30,9 @@ apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
   name: restricted
+  annotations:
+    seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
+    seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
 spec:
   privileged: false
   fsGroup: