The new syntax plus some Advanced topics

The new syntax plus some Advanced topics

Mastering the art of creating seccomp profiles for your workloads: Seccomp goes GA on kubernetes 1.19 plus some other advanced topics.

On this part I want to cover a few isolated points that hopefully together would give a bit more depth to your seccomp knowledge.

Seccomp GA at last…

Back in 2016 jessfrazz added seccomp support into Kubernetes v1.3. It stayed in alpha for several years, despite loads of different efforts to get this over the line, until it finally made it to GA on version v1.19 this month — big shout out to everybody involved throughout this journey!

The existing annotation based support is now deprecated and will be removed from Kubernetes on version v1.23. From now on you will be able to add seccomp based on the new field seccompProfile at Pod or/and Container levels:

securityContext:
  seccompProfile:
    type: Localhost
    localhostProfile: my-seccomp-profile.json

The type field can have three values: LocalhostUnconfined and RuntimeDefault. And the field localhostProfile allows for setting the path of a file from disk. Some details can be found here.

GA came to fix issues of the past

Back on the first part of this series I mentioned about a bug I raised that showed that seccomp profiles applied at pod level were always greedier than the ones implemented at container level.

That is now fixed, and the solution was to apply a default seccomp profile to the sandbox container, which now will always run with the seccomp profile RuntimeDefault.

From Kubernetes v1.19 it will make little difference between defining seccomp profiles at pod or container levels. Now that decision can be made considering other factors alone, like whether or not you plan to have sidecars added to the pod and what restrictions you want to impose on them — if any.

container-security containers seccomp kubernetes kubernetes-security security

Bootstrap 5 Complete Course with Examples

Bootstrap 5 Tutorial - Bootstrap 5 Crash Course for Beginners

Nest.JS Tutorial for Beginners

Hello Vue 3: A First Look at Vue 3 and the Composition API

Building a simple Applications with Vue 3

Deno Crash Course: Explore Deno and Create a full REST API with Deno

How to Build a Real-time Chat App with Deno and WebSockets

Convert HTML to Markdown Online

HTML entity encoder decoder Online

50+ Useful Kubernetes Tools for 2020 - Part 2

Our original Kubernetes tool list was so popular that we've curated another great list of tools to help you improve your functionality with the platform.

Introduction to Kubernetes Security: Container Security

Focusing on Kubernetes security, we have to go through container security and their runtimes. All in all, clusters without containers running does not make much sense. Hardening workloads often is much harder than hardening the cluster itself. Let’s start with container configuration.

Free Resources: Kubernetes & Containers

**Advanced Kubernetes [Refcard Update]** Kubernetes is a distributed cluster technology that manages container-based systems in a declarative manner using an API. There are currently many learning resources to get started with the fundamentals of...

Hardening Docker Container Using Seccomp Security Profile

Hardening Docker Container Using Seccomp Security Profile. This article examines Linux's Secure Computing Mode for securing Docker containers through its default and custom configurations.

Best Custom Web & Mobile App Development Company

Top Web & Mobile Application Development Company in India & USA. We specialize in Golang, Ruby on Rails, Symfony, Laravel PHP, Python, Angular, Mobile Apps, Blockchain, & Chatbots