seccomp profile is set to docker/default in your pod definitions

kubernetes

Classification:

compliance

Framework:

cis-kubernetes

Control:

5.7.2

Set up the kubernetes integration.

Description

Enable Docker/default seccomp profile in your pod definitions.

Rationale

Seccomp (secure computing mode) is used to restrict the set of system calls applications can make, allowing cluster administrators greater control over the security of workloads running in the cluster. Kubernetes disables seccomp profiles by default for historical reasons. You should enable it to ensure that the workloads have restricted actions available within the container.

Audit

Review the pod definitions in your cluster. It should create a line similar to annotations: seccomp.security.alpha.kubernetes.io/pod: docker/default

Remediation

Seccomp is an alpha feature currently. By default, all alpha features are disabled. You need to enable alpha features in the API server by passing the --feature-gates=AllAlpha=true argument. Edit the /etc/kubernetes/apiserver file on the master node and set the KUBE_API_ARGS parameter to --feature-gates=AllAlpha=true.

Based on your system, restart the kube-apiserver service. For example: systemctl restart kube-apiserver.service Use annotations to enable the docker/default seccomp profile in your pod definitions.

An example:

apiVersion: v1 
kind: Pod 
	metadata: 
		name: trustworthy-pod 
		annotations: seccomp.security.alpha.kubernetes.io/
		pod: docker/default 
		spec: 
			containers: 
				- name: trustworthy-container 
				  image: sotrustworthy:latest

Impact

If the docker/default seccomp profile is too restrictive for you, you would have to create/manage your own seccomp profiles. Also, you need to enable all alpha features for this to work. There is no individual switch to turn on this feature.

Default value

By default, seccomp profile is set to unconfined which means that no seccomp profiles are enabled.

References

  1. https://github.com/kubernetes/kubernetes/issues/39845
  2. https://github.com/kubernetes/kubernetes/pull/21790
  3. https://github.com/kubernetes/community/blob/master/contributors/design-proposals/seccomp.md#examples
  4. https://docs.docker.com/engine/security/seccomp/

CIS controls

Version 6.5 Controlled Use of Administration Privileges