For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/terraform-kubernetes-seccomp-profile-is-not-configured.md.
A documentation index is available at /llms.txt.
Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls. This rule validates that a seccomp profile is configured on kubernetes_pod, kubernetes_cron_job, and other workload resources. The recommended approach (Kubernetes v1.19+) is to set security_context.seccomp_profile.type to RuntimeDefault or Localhost in the pod spec. The legacy annotation seccomp.security.alpha.kubernetes.io/defaultProfileName with value runtime/default is also accepted for older clusters. If neither the seccomp_profile block nor the annotation is configured, the rule reports a MissingAttribute issue. If seccomp_profile.type is set to an insecure value (e.g. Unconfined), the rule reports an IncorrectValue issue.
Compliant Code Examples
resource"kubernetes_pod""pod"{metadata{name="terraform-example"annotations={"seccomp.security.alpha.kubernetes.io/defaultProfileName"="runtime/default"}}spec{container{image="nginx:1.7.9"name="example"env{name="environment"value="test"}port{container_port=8080}liveness_probe{http_get{path="/nginx_status"port=80http_header{name="X-Custom-Header"value="Awesome"}}initial_delay_seconds=3period_seconds=3}}dns_config{nameservers=["1.1.1.1","8.8.8.8","9.9.9.9"]searches=["example.com"]option{name="ndots"value=1}option{name="use-vc"}}dns_policy="None"}}resource"kubernetes_cron_job""cron"{metadata{name="demo"}spec{concurrency_policy="Replace"failed_jobs_history_limit=5schedule="1 0 * * *"starting_deadline_seconds=10successful_jobs_history_limit=10job_template{metadata{}spec{backoff_limit=2ttl_seconds_after_finished=10template{metadata{annotations={"seccomp.security.alpha.kubernetes.io/defaultProfileName"="runtime/default"}}spec{container{name="hello"image="busybox"command=["/bin/sh","-c","date; echo Hello from the Kubernetes cluster"]}}}}}}}resource"kubernetes_deployment""deployment"{metadata{name="terraform-example"labels={test="MyExampleApp"}}spec{replicas=3selector{match_labels={test="MyExampleApp"}}template{metadata{labels={test="MyExampleApp"}annotations={"seccomp.security.alpha.kubernetes.io/defaultProfileName"="runtime/default"}}spec{container{image="nginx:1.7.8"name="example"resources{limits={cpu="0.5"memory="512Mi"}requests={cpu="250m"memory="50Mi"}}liveness_probe{http_get{path="/nginx_status"port=80http_header{name="X-Custom-Header"value="Awesome"}}initial_delay_seconds=3period_seconds=3}}}}}}resource"kubernetes_pod""pod_seccomp"{metadata{name="terraform-example"}spec{security_context{seccomp_profile{type="RuntimeDefault"}}container{image="nginx:1.7.9"name="example"}}}resource"kubernetes_deployment""deployment_seccomp"{metadata{name="terraform-example"labels={test="MyExampleApp"}}spec{replicas=3selector{match_labels={test="MyExampleApp"}}template{metadata{labels={test="MyExampleApp"}}spec{security_context{run_as_non_root=truerun_as_user=1000fs_group=1000seccomp_profile{type="RuntimeDefault"}}container{image="nginx:1.7.8"name="example"}}}}}resource"kubernetes_cron_job""cron_seccomp"{metadata{name="demo"}spec{concurrency_policy="Replace"failed_jobs_history_limit=5schedule="1 0 * * *"starting_deadline_seconds=10successful_jobs_history_limit=10job_template{metadata{}spec{backoff_limit=2ttl_seconds_after_finished=10template{metadata{}spec{security_context{seccomp_profile{type="RuntimeDefault"}}container{name="hello"image="busybox"command=["/bin/sh","-c","date; echo Hello from the Kubernetes cluster"]}}}}}}}resource"kubernetes_deployment""deployment_seccomp_localhost"{metadata{name="terraform-example-localhost"labels={test="MyExampleApp"}}spec{replicas=3selector{match_labels={test="MyExampleApp"}}template{metadata{labels={test="MyExampleApp"}}spec{security_context{seccomp_profile{type="Localhost"localhost_profile="profiles/my-profile.json"}}container{image="nginx:1.7.8"name="example"}}}}}
Non-Compliant Code Examples
resource"kubernetes_pod""pod1"{metadata{name="terraform-example"}spec{container{image="nginx:1.7.9"name="example"env{name="environment"value="test"}port{container_port=8080}liveness_probe{http_get{path="/nginx_status"port=80http_header{name="X-Custom-Header"value="Awesome"}}initial_delay_seconds=3period_seconds=3}}dns_config{nameservers=["1.1.1.1","8.8.8.8","9.9.9.9"]searches=["example.com"]option{name="ndots"value=1}option{name="use-vc"}}dns_policy="None"}}resource"kubernetes_pod""pod2"{metadata{name="terraform-example"annotations={SomeAnnotation="foobar"}}spec{container{image="nginx:1.7.9"name="example"env{name="environment"value="test"}port{container_port=8080}liveness_probe{http_get{path="/nginx_status"port=80http_header{name="X-Custom-Header"value="Awesome"}}initial_delay_seconds=3period_seconds=3}}dns_config{nameservers=["1.1.1.1","8.8.8.8","9.9.9.9"]searches=["example.com"]option{name="ndots"value=1}option{name="use-vc"}}dns_policy="None"}}resource"kubernetes_pod""pod3"{metadata{name="terraform-example"annotations={"seccomp.security.alpha.kubernetes.io/defaultProfileName"="rntim/dfl"}}spec{container{image="nginx:1.7.9"name="example"env{name="environment"value="test"}port{container_port=8080}liveness_probe{http_get{path="/nginx_status"port=80http_header{name="X-Custom-Header"value="Awesome"}}initial_delay_seconds=3period_seconds=3}}dns_config{nameservers=["1.1.1.1","8.8.8.8","9.9.9.9"]searches=["example.com"]option{name="ndots"value=1}option{name="use-vc"}}dns_policy="None"}}resource"kubernetes_cron_job""cron1"{metadata{name="demo"}spec{concurrency_policy="Replace"failed_jobs_history_limit=5schedule="1 0 * * *"starting_deadline_seconds=10successful_jobs_history_limit=10job_template{metadata{}spec{backoff_limit=2ttl_seconds_after_finished=10template{metadata{}spec{container{name="hello"image="busybox"command=["/bin/sh","-c","date; echo Hello from the Kubernetes cluster"]}}}}}}}resource"kubernetes_cron_job""cron2"{metadata{name="demo"}spec{concurrency_policy="Replace"failed_jobs_history_limit=5schedule="1 0 * * *"starting_deadline_seconds=10successful_jobs_history_limit=10job_template{metadata{}spec{backoff_limit=2ttl_seconds_after_finished=10template{metadata{annotations={SomeAnnotation="foobar"}}spec{container{name="hello"image="busybox"command=["/bin/sh","-c","date; echo Hello from the Kubernetes cluster"]}}}}}}}resource"kubernetes_cron_job""cron3"{metadata{name="demo"}spec{concurrency_policy="Replace"failed_jobs_history_limit=5schedule="1 0 * * *"starting_deadline_seconds=10successful_jobs_history_limit=10job_template{metadata{}spec{backoff_limit=2ttl_seconds_after_finished=10template{metadata{annotations={seccomp.security.alpha.kubernetes.io/defaultProfileName="rntim/dfl"}}spec{container{name="hello"image="busybox"command=["/bin/sh","-c","date; echo Hello from the Kubernetes cluster"]}}}}}}}resource"kubernetes_deployment""deployment1"{metadata{name="terraform-example"labels={test="MyExampleApp"}}spec{replicas=3selector{match_labels={test="MyExampleApp"}}template{metadata{labels={test="MyExampleApp"}}spec{container{image="nginx:1.7.8"name="example"resources{limits={cpu="0.5"memory="512Mi"}requests={cpu="250m"memory="50Mi"}}liveness_probe{http_get{path="/nginx_status"port=80http_header{name="X-Custom-Header"value="Awesome"}}initial_delay_seconds=3period_seconds=3}}}}}}resource"kubernetes_deployment""deployment2"{metadata{name="terraform-example"labels={test="MyExampleApp"}}spec{replicas=3selector{match_labels={test="MyExampleApp"}}template{metadata{labels={test="MyExampleApp"}annotations={SomeAnnotation="foobar"}}spec{container{image="nginx:1.7.8"name="example"resources{limits={cpu="0.5"memory="512Mi"}requests={cpu="250m"memory="50Mi"}}liveness_probe{http_get{path="/nginx_status"port=80http_header{name="X-Custom-Header"value="Awesome"}}initial_delay_seconds=3period_seconds=3}}}}}}resource"kubernetes_deployment""deployment3"{metadata{name="terraform-example"labels={test="MyExampleApp"}}spec{replicas=3selector{match_labels={test="MyExampleApp"}}template{metadata{labels={test="MyExampleApp"}annotations={seccomp.security.alpha.kubernetes.io/defaultProfileName="rntim/dfl"}}spec{container{image="nginx:1.7.8"name="example"resources{limits={cpu="0.5"memory="512Mi"}requests={cpu="250m"memory="50Mi"}}liveness_probe{http_get{path="/nginx_status"port=80http_header{name="X-Custom-Header"value="Awesome"}}initial_delay_seconds=3period_seconds=3}}}}}}resource"kubernetes_deployment""deployment_unconfined"{metadata{name="terraform-example-unconfined"labels={test="MyExampleApp"}}spec{replicas=3selector{match_labels={test="MyExampleApp"}}template{metadata{labels={test="MyExampleApp"}}spec{security_context{seccomp_profile{type="Unconfined"}}container{image="nginx:1.7.8"name="example"}}}}}
1
2
rulesets:- Terraform / Kubernetes # Rules to enforce / Kubernetes.
Request a personalized demo
Get Started with Datadog
Ask AI
AI-generated responses may be inaccurate. Verify important info.
