Profile Applicability:

  • Level 1

Description:
 The seccomp (secure computing mode) profile in Kubernetes allows you to restrict the system calls that containers can make, providing an additional layer of security by preventing malicious or accidental access to critical system resources. This check ensures that the seccomp profile is set to docker/default for all pods, which is the default profile provided by Docker and helps secure the containers running in your Kubernetes cluster.

Rationale:
 Using seccomp profiles helps to mitigate the impact of potential container breaches by limiting the set of system calls that containers can access. The docker/default profile offers a good balance between security and compatibility, ensuring that containers only have access to the necessary system calls without overly restricting their functionality.

Impact:

  • Pros:

    • Enhances the security posture of your Kubernetes cluster by limiting the system calls that containers can perform.

    • Helps prevent containerized applications from interacting with the kernel in harmful ways.

  • Cons:

    • May cause compatibility issues with applications that require access to specific system calls not permitted by the docker/default profile.

    • Requires configuration to ensure the profile is applied correctly across the cluster.

Default Value:
 By default, Kubernetes may not apply seccomp profiles, and containers might run without any seccomp restrictions, exposing them to potential risks.

Pre-requisites:
 Ensure that seccomp support is enabled in your Kubernetes cluster, and that the pods are configured to use the appropriate seccomp profile.

Test Plan:

Using Azure Console:

  1. Navigate to the Azure portal and access your Azure Kubernetes Service (AKS) cluster.

  2. Review the Pod specifications to ensure that the seccomp profile is set to docker/default.

  3. Check the Pod security settings and verify that the seccomp profile is explicitly specified for the pods running in the cluster.

Using Azure CLI:

  1. Use the following command to check the current pod configurations for the seccomp profile:

     kubectl get pods --all-namespaces -o=jsonpath='{.items[*].spec.securityContext.seccompProfile.type}'


  2. Ensure that thseccompProfile.type is set to docker/default for all pods.

Implementation Plan:

Using Azure Console:

  1. In the Azure portal, go to your AKS cluster and access the Pod definitions.

  2. Modify the pod specification to set the seccomp profile to docker/default for containers that require it. For example:

Add the following to your container's securityContext:

securityContext:

  seccompProfile:

    type: Localhost

    localhostProfile: /profile-docker-default.json

  1. Apply this configuration to all relevant pods and deployments.

Using Azure CLI:

To update a Pod or Deployment to use the docker/default seccomp profile, add the following to your pod specification YAML:

securityContext:

  seccompProfile:

    type: RuntimeDefault

  1. Apply the updated configuration with the following command:

     kubectl apply -f pod-spec.yaml


  2. Alternatively, use the following command to add the seccomp profile to a running deployment:

     kubectl edit deployment <deployment-name> --namespace=<namespace>

Backout Plan:

Using Azure Console:

  1. If applying the seccomp profile causes issues, revert the changes in the Azure portal by removing or modifying the seccomp profile settings in the pod definitions.

Using Azure CLI:

  1. Revert the seccomp profile by editing the deployment or pod spec to remove the seccomp profile or set it to a more permissive configuration:

     kubectl edit deployment <deployment-name> --namespace=<namespace-name>


  2. Remove or modify the seccompProfile settings as necessary.

References:

  1. Azure Kubernetes Service (AKS) Best Practices