I want to enable seccomp profile like RuntimeDefault in my AWS EKS Kubernetes cluster on a predefined Helm chart which doesn't have any specific parameter in the values.yml file to be updated. I don't want to download the chart and all the files locally to make changes in the deployment.yml.
What is the right way to do it?
Answer:
Kubernetes does not (currently) enable
seccompby default.Following are the 3 possible ways to do so defined:
If seccomp profile is already defined with a type (e.g.,
RuntimeDefault) in the defaultvalues.ymlfile of the newer version of a predefined Helm chart then simply upgrading its helm chart to that version will enable it.If option 1 is not possible, you can enable it on a predefined Helm chart by setting the seccomp profile type in the security context of a pod to
RuntimeDefaultas follows in thevalues.ymlfile depending upon the key used in thedeployment.ymlfile. For example, let’s say thatsecurityContextis the key used to define thesecurityContextin thedeployment.ymlfile. So, the following will be added in thevalues.ymlfile:deployment.ymlfile as follows:Note: It is not possible to apply a seccomp profile to a container running with
privileged: trueset in the container'ssecurityContext. Privileged containers always run asUnconfined.More Details:
Seccomp stands for “Secure Computing Mode”. It’s a security feature of the Linux kernel. In simple words, seccomp restricts the system calls that a process can make. In case of Kubernetes, it is a process running in a container in a pod.
Would seccomp improve our security posture? Yes, as seccomp protects the kernel from unwanted system calls made by processes, which in turn protects the host and helps maintain the isolation expected in a containerised environment.
Seccomp operation is controlled through rules specifying actions to take based on the requested syscall. Rules are defined in a file and referred to as a seccomp profile.
Example profiles can be found here: Restrict a Container's Syscalls with seccomp
In a seccomp profile, you basically define
defaultActionto be taken,architecturescovered,syscallsto list specific calls to be allowed or not.defaultAction: specifies what happens when the container uses a syscall that you haven't explicitly specified an action for. E.g.,defaultAction: SCMP_ACT_ERRNOfilters out the syscall.architectures: specifies the architectures we are allowed to receive syscalls from.syscalls: is a list of syscalls and the action we take when we encounter them.action: SCMP_ACT_ALLOWmeans we allow the system call to get past our seccomp filter.A good starting point when introducing seccomp to your Kubernetes cluster is to enable the default profile (RuntimeDefault). While general in nature and very likely to be overly permissive for most of your workloads, some of the most security-sensitive syscalls are blocked. This default seccomp profile provides a sane default for running containers with seccomp and disables around 44 system calls out of 300+. Significant syscalls blocked by the default profile can be found here.
Docker, CRI-O or Containerd, all of these come with a default seccomp profile available in your Kubernetes cluster.
Some workloads may require a lower amount of syscall restrictions than others. This means that they can fail during runtime even with the
RuntimeDefaultprofile. To mitigate such a failure, you can:Run the workload explicitly as
Unconfined.Disable the
SeccompDefaultfeature for the nodes. Also making sure that workloads get scheduled on nodes where the feature is disabled.Create a custom seccomp profile for the workload.
Important Note: Cloud managed Kubernetes clusters like Amazon EKS, GKE, etc, are managed Kubernetes clusters, so, we cannot play with the kubelet which means we cannot enable it on node level for all the pods in one go.