Ensure that the seccomp profile is set to docker/default in your pod definitions

Seccomp (secure computing mode) is used to restrict the set of system calls applications can make, allowing cluster administrators greater control over the security of workloads running in the cluster. Kubernetes disables seccomp profiles by default for historical reasons. You should enable it to ensure that the workloads have restricted actions available within the container.

Risk Level: High
Cloud Entity: Pods
CloudGuard Rule ID: D9.K8S.IAM.21
Covered by Spectral: No
Category: Compute

GSL LOGIC

KubernetesPod should have (annotations contain [ key='seccomp.security.alpha.kubernetes.io/pod' ]) or (spec.containers contain [ securityContext.seccompProfile.type='RuntimeDefault' ] and spec.initContainers isEmpty() or spec.initContainers contain [ securityContext.seccompProfile.type='RuntimeDefault' ])

REMEDIATION

Use security context to enable the docker/default seccomp profile in your pod definitions.

References

  1. https://github.com/kubernetes/kubernetes/issues/39845
  2. https://github.com/kubernetes/kubernetes/pull/21790
  3. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/seccomp.md#examples
  4. https://docs.docker.com/engine/security/seccomp/

Pods

Pods are the smallest deployable units of computing that can be created and managed in Kubernetes.A Pod is a group of one or more containers (such as Docker containers), with shared storage/network, and a specification for how to run the containers.

Compliance Frameworks

  • CIS Google Kubernetes Engine (GKE) Benchmark v1.2.0
  • CIS Google Kubernetes Engine (GKE) Benchmark v1.4.0
  • CIS Kubernetes Benchmark v1.20
  • CIS Kubernetes Benchmark v1.24
  • CIS Kubernetes Benchmark v1.4.0
  • CIS Kubernetes Benchmark v1.5.1
  • CIS Kubernetes Benchmark v1.6.1
  • CIS OpenShift Container Platform v4 Benchmark v1.1.0
  • CIS OpenShift Container Platform v4 Benchmark v1.4.0
  • Kubernetes NIST.SP.800-190
  • Kubernetes v.1.13 CloudGuard Best Practices
  • Kubernetes v.1.14 CloudGuard Best Practices
  • OpenShift Container Platform v3