Seccomp profile is not configured
This product is not supported for your selected
Datadog site. (
).
Id: f377b83e-bd07-4f48-a591-60c82b14a78b
Cloud Provider: k8s
Framework: Kubernetes
Severity: Medium
Category: Insecure Configurations
Learn More
Description
Containers should be configured with a secure seccomp profile to restrict potentially dangerous syscalls.
Compliant Code Examples
apiVersion: v1
kind: Pod
metadata:
name: pod-test-1
annotations:
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
spec:
containers:
- name: foobar
image: foo/bar:latest
apiVersion: apps/v1
kind: Deployment
metadata:
name: securitydemo
labels:
app: web
spec:
replicas: 2
selector:
matchLabels:
app: web
template:
metadata:
labels:
app: web
spec:
securityContext:
runAsUser: 19000
seccompProfile:
type: RuntimeDefault
containers:
- name: frontend
image: nginx
ports:
- containerPort: 80
securityContext:
allowPrivilegeEscalation: false
- name: echoserver
image: k8s.gcr.io/echoserver:1.4
ports:
- containerPort: 8080
securityContext:
allowPrivilegeEscalation: false
apiVersion: apps/v1
kind: Deployment
metadata:
name: securitydemo
labels:
app: web
spec:
replicas: 2
selector:
matchLabels:
app: web
template:
metadata:
labels:
app: web
spec:
securityContext:
runAsUser: 19000
containers:
- name: frontend
image: nginx
ports:
- containerPort: 80
securityContext:
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
- name: echoserver
image: k8s.gcr.io/echoserver:1.4
ports:
- containerPort: 8080
securityContext:
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
Non-Compliant Code Examples
apiVersion: apps/v1
kind: Deployment
metadata:
name: securitydemo
labels:
app: web
spec:
replicas: 2
selector:
matchLabels:
app: web
template:
metadata:
labels:
app: web
spec:
securityContext:
runAsUser: 19000
containers:
- name: frontend
image: nginx
ports:
- containerPort: 80
securityContext:
allowPrivilegeEscalation: false
- name: echoserver
image: k8s.gcr.io/echoserver:1.4
ports:
- containerPort: 8080
securityContext:
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
apiVersion: apps/v1
kind: Deployment
metadata:
name: securitydemo
labels:
app: web
spec:
replicas: 2
selector:
matchLabels:
app: web
template:
metadata:
labels:
app: web
spec:
securityContext:
runAsUser: 19000
containers:
- name: frontend
image: nginx
ports:
- containerPort: 80
securityContext:
allowPrivilegeEscalation: false
- name: echoserver
image: k8s.gcr.io/echoserver:1.4
ports:
- containerPort: 8080
securityContext:
allowPrivilegeEscalation: false
seccompProfile:
type: Unconfined
apiVersion: apps/v1
kind: Deployment
metadata:
name: securitydemo
labels:
app: web
spec:
replicas: 2
selector:
matchLabels:
app: web
template:
metadata:
labels:
app: web
spec:
securityContext:
runAsUser: 19000
seccompProfile:
type: RuntimeDefault
containers:
- name: frontend
image: nginx
ports:
- containerPort: 80
securityContext:
allowPrivilegeEscalation: false
- name: echoserver
image: k8s.gcr.io/echoserver:1.4
ports:
- containerPort: 8080
securityContext:
allowPrivilegeEscalation: false
seccompProfile:
type: Unconfined
