2 min read
Seccomp by Default: Kubernetes Container Security
Kubernetes 1.24 enables Seccomp profiles by default, restricting system calls available to containers. This improves security posture for all workloads.
Understanding Seccomp
Seccomp (Secure Computing Mode) limits which system calls a process can make, reducing the attack surface.
apiVersion: v1
kind: Pod
metadata:
name: secure-pod
spec:
securityContext:
seccompProfile:
type: RuntimeDefault # Now default in 1.24
containers:
- name: app
image: nginxProfile Types
# RuntimeDefault - uses container runtime's default profile
seccompProfile:
type: RuntimeDefault
# Localhost - custom profile from node
seccompProfile:
type: Localhost
localhostProfile: profiles/audit.json
# Unconfined - no restrictions (not recommended)
seccompProfile:
type: UnconfinedCustom Seccomp Profiles
{
"defaultAction": "SCMP_ACT_ERRNO",
"architectures": ["SCMP_ARCH_X86_64"],
"syscalls": [
{
"names": ["read", "write", "exit", "exit_group", "mmap", "close"],
"action": "SCMP_ACT_ALLOW"
}
]
}Deploy custom profile:
apiVersion: v1
kind: Pod
metadata:
name: custom-seccomp
spec:
securityContext:
seccompProfile:
type: Localhost
localhostProfile: my-profile.json
containers:
- name: app
image: myappAuditing System Calls
Create an audit profile to discover required syscalls:
{
"defaultAction": "SCMP_ACT_LOG",
"architectures": ["SCMP_ARCH_X86_64"]
}Check audit logs:
# View seccomp violations
journalctl -k | grep "seccomp"
dmesg | grep "seccomp"Summary
Seccomp profiles restrict system calls, limiting container capabilities and reducing security risks. The default profile in Kubernetes 1.24 provides baseline protection.
References: