Restrict Seccomp Strict

Description

Seccomp profile must be explicitly set to one of the allowed values. Both the Unconfined profile and the absence of a profile are prohibited. This is Linux only policy in v1.25+ (spec.os.name != windows)

Restricted Fields

  • spec.securityContext.seccompProfile.type
  • spec.containers[*].securityContext.seccompProfile.type
  • spec.initContainers[*].securityContext.seccompProfile.type
  • spec.ephemeralContainers[*].securityContext.seccompProfile.type

Allowed Values

  • RuntimeDefault
  • Localhost

Risks

Seccomp operates based on rules that are present within a file called seccomp profile. It is recommended that users do not use the Unconfined profile as it allows containers to invoke any syscall. Many syscalls are harmless, but others can be used to escalate privileges, adjust kernel settings, or perform other undesirable actions. Having a seccomp profile in place can help reduce the attack surface by restricting the syscalls that can be made.

Kyverno Policy

Refer to the Nirmata curated policies - restrict-seccomp-strict.yaml

References

Configuration Settings

Use of custom Seccomp profiles is disallowed. The fields spec.securityContext.seccompProfile.type, spec.containers[*].securityContext.seccompProfile.type, spec.initContainers[*].securityContext.seccompProfile.type, and spec.ephemeralContainers[*].securityContext.seccompProfile.type must be set to RuntimeDefault or Localhost.

securityContext:
  seccompProfile:
    type: "RuntimeDefault | Localhost"
=(ephemeralContainers):
- =(securityContext):
    =(seccompProfile):
      =(type): "RuntimeDefault | Localhost"
=(initContainers):
- =(securityContext):
    =(seccompProfile):
      =(type): "RuntimeDefault | Localhost"
containers:
- =(securityContext):
    =(seccompProfile):
      =(type): "RuntimeDefault | Localhost"

Resource Example

Below is a Deployment resource example where securityContext.seccompProfile.type is set to either RuntimeDefault or Localhost for all initContainers, containers, and spec.securityContext.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: gooddeployment
spec:
  replicas: 1
  selector:
    matchLabels:
      app: app
  template:
    metadata:
      labels:
        app: app
    spec:
      initContainers:
      - name: initcontainer01
        image: dummyimagename
        securityContext:
          seccompProfile:
            type: Localhost
            localhostProfile: operator/default/profile1.json
      - name: initcontainer02
        image: dummyimagename
        securityContext:
          seccompProfile:
            type: RuntimeDefault
      containers:
      - name: container01
        image: dummyimagename
      securityContext:
        seccompProfile:
          type: RuntimeDefault