Pod seccomp profile should be set to ‘docker/default’¶
Description¶
The seccomp profile should be set to runtime/default or docker/default in pod definitions. The Secure Computing Mode (seccomp) in Linux is used to restrict which syscalls are allowed, which generally increases workload security. The docker/default profile was deprecated in Kubernetes 1.11 and runtime/default should now be used.
Remediation Steps¶
Kubernetes Manifest (YAML)¶
Ensure that a Kubernetes.Pod has an annotation with seccomp.security.alpha.kubernetes.io/pod
set to "runtime/default"
or "docker/default"
.
Example Configuration¶
apiVersion: v1
kind: Pod
metadata:
name: hello
annotations:
seccomp.security.alpha.kubernetes.io/pod: "runtime/default"
spec:
containers:
- name: hello
image: busybox
command: ['sh', '-c', 'echo "Hello, Kubernetes!" && sleep 3600']
# other required fields here