Pod seccomp profile should be set to ‘docker/default’

Description

The seccomp profile should be set to runtime/default or docker/default in pod definitions. The Secure Computing Mode (seccomp) in Linux is used to restrict which syscalls are allowed, which generally increases workload security. The docker/default profile was deprecated in Kubernetes 1.11 and runtime/default should now be used.

Remediation Steps

Kubernetes Manifest (YAML)

Ensure that a Kubernetes.Pod has an annotation with seccomp.security.alpha.kubernetes.io/pod set to "runtime/default" or "docker/default".

Example Configuration

apiVersion: v1
kind: Pod
metadata:
  name: hello
  annotations:
    seccomp.security.alpha.kubernetes.io/pod: "runtime/default"
spec:
  containers:
    - name: hello
      image: busybox
      command: ['sh', '-c', 'echo "Hello, Kubernetes!" && sleep 3600']
# other required fields here