Policy allows insecure seccomp profiles Affecting Deployment service in Kubernetes

Severity Framework Snyk CCSS

Rule category Containers / Best Practices

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

CIS-Controls

Snyk ID SNYK-CC-00639
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

Pods will be able to start with seccomp disabled.

How to fix?

Ensure seccomp.security.alpha.kubernetes.io/allowedProfileNames annotation does not contain unconfined or *.

Example Configuration

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: example
  annotations:
    seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
spec:
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  runAsUser:
    rule: RunAsAny
  fsGroup:
    rule: RunAsAny 
  requiredDropCapabilities:
    - all

Terraform

kubernetes_pod_security_policy

Policy allows insecure seccomp profiles Affecting Deployment service in Kubernetes

Description

How to fix?

Example Configuration

Terraform

References