Prevent Seccomp Overwrite 1.1.5

Secure computing mode (Seccomp) is a Linux feature that prevents processes to perform arbitrary syscalls to the kernel. Seccomp profiles should not be changed or deactivated in manifests defining workloads. If securityContext.seccompProfile is used, the policy will only allow the value RuntimeDefault as type.


Note that this policy is part of the following security standards:

  • k8s/restricted: Heavily restricted policy, following current Pod hardening best practices.
  • nist/SP.800-190: NIST Special Publication 800-190 - Application Container Security Guide: Section 3.4.3
  • bsi/containerization: BSI IT-Grundschutz "Containerisierung": Section: SYS.1.6.A17, SYS.1.6.A21
  • Host Access
  • Security
  • bsi/containerization
  • k8s/restricted
  • nist/SP.800-190

Applies to

  • Pod
  • ReplicaSet
  • ReplicationController
  • Deployment
  • StatefulSet
  • DaemonSet
  • Job
  • CronJob

Example

apiVersion: v1
kind: Pod
metadata:
  name: sysctl-example
spec:
  securityContext:
    seccompProfile:
-     type: Localhost
-     localhostProfile: profiles/myprofile.json
  containers:
    - name: hello
      image: dummy-cronjob:invalid
      securityContext:
        seccompProfile:
          type: RuntimeDefault
    - name: nginx
      image: nginx:1.14.2
      securityContext:
        seccompProfile:
-         type: Localhost
-         localhostProfile: profiles/myprofile.json

Risk acceptance

Use the annotation securitytower.io/policy.exclusion.preventseccompoverwrite as on the example below.
apiVersion: v1
kind: Pod
metadata:
  name: your-pod
  annotations:
    securitytower.io/policy.exclusion.preventseccompoverwrite: |-
      This container must use custom Seccomp profile.
...