Ensure seccomp is set to Docker/Default or Runtime/Default

Error: seccomp is not set to Docker/Default or Runtime/Default

Bridgecrew Policy ID: BC_K8S_29
Checkov Check ID: CKV_K8S_31
Severity: LOW

seccomp is not set to Docker/Default or Runtime/Default

Description

Secure computing mode (seccomp) is a Linux kernel feature used to restrict actions available within the container. The seccomp() system call operates on the seccomp state of the calling process. The default seccomp profile provides a reliable setting for running containers with seccomp and disables non-essential system calls.

Fix - Buildtime

Kubernetes

  • Resource: Pod / Deployment / DaemonSet / StatefulSet / ReplicaSet / ReplicationController / Job / CronJob
  • Argument: securityContext: seccompProfile: type: (Optional: Kubernetes > v1.19)
    Addition of seccompProfile type: RuntimeDefault or DockerDefault
apiVersion: v1
kind: Pod
metadata:
  name: <name>
spec:
  containers:
  - name: <container name>
    image: <image>
  securityContext:
+    seccompProfile:
+      type: RuntimeDefault
       or
+      type: DockerDefault
apiVersion: batch/v1beta1
kind: CronJob
metadata:
  name: <name>
spec:
  schedule: <>
  jobTemplate:
    spec:
      template:
        spec:
          securityContext:
+            seccompProfile:
+              type: RuntimeDefault
               or
+              type: DockerDefault
apiVersion: <>
kind: <kind>
metadata:
  name: <name>
spec:
  template:
    spec:
      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
           or
+          type: DockerDefault