Pod seccomp profile should be set to ‘docker/default’¶
The seccomp profile should be set to runtime/default or docker/default in pod definitions. The Secure Computing Mode (seccomp) in Linux is used to restrict which syscalls are allowed, which generally increases workload security. The docker/default profile was deprecated in Kubernetes 1.11 and runtime/default should now be used.
Kubernetes Manifest (YAML)¶
Ensure that a Kubernetes.Pod has an annotation with
seccomp.security.alpha.kubernetes.io/pod set to
apiVersion: v1 kind: Pod metadata: name: hello annotations: seccomp.security.alpha.kubernetes.io/pod: "runtime/default" spec: containers: - name: hello image: busybox command: ['sh', '-c', 'echo "Hello, Kubernetes!" && sleep 3600'] # other required fields here