least-permissive policy

apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
  name: autopol-system-1836005104
  namespace: default
spec:
  action: Allow
  file:
    matchDirectories:
    - dir: /
      recursive: true
    - dir: /sys/
      recursive: true
    - dir: /tmp/
      recursive: true
    matchPaths:
    - path: /bin/vault
    - path: /home/vault/.cache/snowflake/ocsp_response_cache.json
    - path: /vault/config/..2023_06_09_15_15_39.2805095565/extraconfig-from-values.hcl
    - path: /vault/data/core/_seal-config
    - path: /bin/cp
      readOnly: true
    - path: /bin/grep
      readOnly: true
    - path: /bin/sed
      readOnly: true
    - path: /bin/vault
      readOnly: true
    - path: /usr/bin/id
      readOnly: true
    - path: /usr/local/bin/docker-entrypoint.sh
      readOnly: true
    - path: /usr/bin/vault
      readOnly: true
    - path: /bin/busybox
      readOnly: true
  process:
    matchPaths:
    - path: /bin/cp
    - path: /bin/grep
    - path: /bin/sed
    - path: /bin/vault
    - path: /usr/bin/id
    - path: /usr/local/bin/docker-entrypoint.sh
    - path: /usr/bin/vault
    - path: /bin/busybox
  selector:
    matchLabels:
      app.kubernetes.io/instance: vault
      app.kubernetes.io/name: vault
      component: server
      helm.sh/chart: vault-0.24.1
  severity: 1