4.6.2 - Ensure that the seccomp profile is set to RuntimeDefault in the pod definitions (Automated)

Views:

Profile applicability: Level 2

Enable RuntimeDefault seccomp profile in the pod definitions.

Seccomp (secure computing mode) is used to restrict the set of system calls applications can make, allowing cluster administrators greater control over the security of workloads running in the cluster. Kubernetes disables seccomp profiles by default for historical reasons. It should be enabled to ensure that the workloads have restricted actions available within the container.

Note

By default, seccomp profile is set to unconfined which means that no seccomp profiles are enabled.

Impact

If the RuntimeDefault seccomp profile is too restrictive for you, you would have to create/manage your own Localhost seccomp profiles.

Audit

Review the pod definitions output for all namespaces in the cluster with the command below.

kubectl get pods --all-namespaces -o json | jq -r '.items[] | 
select(.metadata.annotations."seccomp.security.alpha.kubernetes.io/pod" == 
"runtime/default" or .spec.securityContext.seccompProfile.type == 
"RuntimeDefault") | {namespace: .metadata.namespace, name: .metadata.name, 
seccompProfile: .spec.securityContext.seccompProfile.type}'

Remediation

Use security context to enable the RuntimeDefault seccomp profile in your pod definitions. An example is as below:

{ 
    "namespace": "kube-system", 
    "name": "metrics-server-v0.7.0-dbcc8ddf6-gz7d4", 
    "seccompProfile": "RuntimeDefault" 
}