Ensure seccomp profile is set to Docker/Default or Runtime/Default
Error: seccomp profile is not set to Docker/Default or Runtime/Default
Bridgecrew Policy ID: BC_K8S_30
Checkov Check ID: CKV_K8S_32
Severity: LOW
seccomp profile is not set to Docker/Default or Runtime/Default
Description
Secure computing mode (seccomp) is a Linux kernel feature used to restrict actions available within the container. The seccomp() system call operates on the seccomp state of the calling process. The default seccomp profile provides a reliable setting for running containers with seccomp and disables non-essential system calls.
Fix - Buildtime
Kubernetes
- Resource: Pod / Deployment / DaemonSet / StatefulSet / ReplicaSet / ReplicationController / Job / CronJob
- Argument: metadata:annotations (Optional)
Annotations attach arbitrary non-identifying metadata to objects.
apiVersion: v1
kind: Pod
metadata:
name: <name>
annotations:
+ seccomp.security.alpha.kubernetes.io/pod: "docker/default"
or
+ seccomp.security.alpha.kubernetes.io/pod: "runtime/default"
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: <name>
spec:
schedule: <>
jobTemplate:
spec:
template:
metadata:
annotations:
+ seccomp.security.alpha.kubernetes.io/pod: "docker/default"
or
+ seccomp.security.alpha.kubernetes.io/pod: "runtime/default"
apiVersion: <>
kind: <kind>
metadata:
name: <name>
spec:
template:
metadata:
annotations:
+ seccomp.security.alpha.kubernetes.io/pod: "docker/default"
or
+ seccomp.security.alpha.kubernetes.io/pod: "runtime/default"
Updated 4 months ago