Skip to main content

☑️ Ensure seccomp profile is set to docker/default or runtime/default

Seccomp (secure computing mode) is used to restrict the set of system calls applications can make, allowing cluster administrators greater control over the security of workloads running in the cluster.
Kubernetes disables seccomp profiles by default for historical reasons. You should enable it to ensure that the workloads have restricted actions available within the container.

Targeted objects by this rule (types of kind): Deployment / Pod / DaemonSet / StatefulSet / ReplicaSet / CronJob / Job

Complexity: medium (What does this mean?)

Policy as code identifier: CIS_INVALID_VALUE_SECCOMP_PROFILE

Important

Starting with Kubernetes 1.27, support for the alpha seccomp annotations seccomp.security.alpha.kubernetes.io/pod and container.seccomp.security.alpha.kubernetes.io will be removed.
The securityContext.seccompProfile field should be used instead.


This rule will fail​

If seccomp is disabled or not set to a valid value:

apiVersion: v1
kind: Pod
metadata:
name: my-pod

Rule output in the CLI​

$ datree test *.yaml

>> File: failExample.yaml
❌ Ensure seccomp profile is set to docker/default or runtime/default [1 occurrence]
💡 Invalid value for key `seccomp.security.alpha.kubernetes.io/pod` - set to docker/default or runtime/default to ensure restricted privileges

How to fix this failure​

Pods should have a seccomp profile set to docker/default or runtime/default.

For Kubernetes versions lower than 1.27:

apiVersion: v1
kind: Pod
metadata:
name: my-pod
annotations:
seccomp.security.alpha.kubernetes.io/pod: docker/default

For Kubernetes versions 1.27 and above:

apiVersion: v1
kind: Pod
spec:
securityContext:
seccompProfile:
type: RuntimeDefault

Read more​