Restrict Seccomp

Description

Seccomp, stands for ‘Secure Computing Mode,’ and is a security mechanism within the Linux kernel. It functions by limiting the system calls that a process is allowed to execute. Since system calls serve as the primary interface between user applications and the kernel, controlling them through seccomp effectively safeguards the kernel, thereby protecting the host system and reinforcing the isolation that containers rely on. This policy ensures that Seccomp profile is not explicitly set to Unconfined.

Restricted Fields

• spec.securityContext.seccompProfile.type
• spec.containers[*].securityContext.seccompProfile.type
• spec.initContainers[*].securityContext.seccompProfile.type
• spec.ephemeralContainers[*].securityContext.seccompProfile.type

Allowed Values

• Undefined/nil
• RuntimeDefault
• Localhost

Risks

Seccomp operates based on rules that are present within a file called seccomp profile. It is recommended that users do not use the Unconfined profile as it allows containers to invoke any syscall. Many syscalls are harmless, but others can be used to escalate privileges, adjust kernel settings, or perform other undesirable actions. Having a seccomp profile in place can help reduce the attack surface by restricting the syscalls that can be made.

Kyverno Policy

Refer to the Nirmata curated policies - restrict-seccomp.yaml

References

Configuration Settings

The below configuration indicates that if the deployed resource contains one of ephemeralContainers or initContainers or containers in their spec field, AND if securityContext.seccompProfile.type field is present, then the only acceptable values are RuntimeDefault or Localhost to be conformant with this security control. If the securityContext.seccompProfile.type field is not present, then the resource is conformant by default.

=(securityContext):
  =(seccompProfile):
    =(type): "RuntimeDefault | Localhost"      
=(ephemeralContainers):
- =(securityContext):
    =(seccompProfile):
      =(type): "RuntimeDefault | Localhost"
=(initContainers):
- =(securityContext):
    =(seccompProfile):
      =(type): "RuntimeDefault | Localhost"
containers:
- =(securityContext):
    =(seccompProfile):
      =(type): "RuntimeDefault | Localhost"

Resource Example

Below is a Deployment resource example where securityContext.seccompProfile.type is set to either Localhost or RuntimeDefault for both initContainers and containers.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: gooddeployment
spec:
  replicas: 1
  selector:
    matchLabels:
      app: app
  template:
    metadata:
      labels:
        app: app
    spec:
      initContainers:
      - name: initcontainer01
        image: dummyimagename
        securityContext:
          seccompProfile:
            type: Localhost
            localhostProfile: operator/default/profile1.json
      - name: initcontainer02
        image: dummyimagename
        securityContext:
          seccompProfile:
            type: RuntimeDefault
      containers:
      - name: container01
        image: dummyimagename