Mastering the art of creating seccomp profiles for your workloads: Seccomp goes GA on kubernetes 1.19 plus some other advanced topics.
On this part I want to cover a few isolated points that hopefully together would give a bit more depth to your seccomp knowledge.
Back in 2016 jessfrazz added seccomp support into Kubernetes v1.3. It stayed in alpha for several years, despite loads of different efforts to get this over the line, until it finally made it to GA on version v1.19 this month — big shout out to everybody involved throughout this journey!
The existing annotation based support is now deprecated and will be removed from Kubernetes on version v1.23. From now on you will be able to add seccomp based on the new field
seccompProfile at Pod or/and Container levels:
securityContext: seccompProfile: type: Localhost localhostProfile: my-seccomp-profile.json
type field can have three values:
RuntimeDefault. And the field
localhostProfile allows for setting the path of a file from disk. Some details can be found here.
Back on the first part of this series I mentioned about a bug I raised that showed that seccomp profiles applied at pod level were always greedier than the ones implemented at container level.
That is now fixed, and the solution was to apply a default seccomp profile to the sandbox container, which now will always run with the seccomp profile
From Kubernetes v1.19 it will make little difference between defining seccomp profiles at pod or container levels. Now that decision can be made considering other factors alone, like whether or not you plan to have sidecars added to the pod and what restrictions you want to impose on them — if any.
Our original Kubernetes tool list was so popular that we've curated another great list of tools to help you improve your functionality with the platform.
Focusing on Kubernetes security, we have to go through container security and their runtimes. All in all, clusters without containers running does not make much sense. Hardening workloads often is much harder than hardening the cluster itself. Let’s start with container configuration.
**Advanced Kubernetes [Refcard Update]** Kubernetes is a distributed cluster technology that manages container-based systems in a declarative manner using an API. There are currently many learning resources to get started with the fundamentals of...
Hardening Docker Container Using Seccomp Security Profile. This article examines Linux's Secure Computing Mode for securing Docker containers through its default and custom configurations.
Top Web & Mobile Application Development Company in India & USA. We specialize in Golang, Ruby on Rails, Symfony, Laravel PHP, Python, Angular, Mobile Apps, Blockchain, & Chatbots