Policy allows insecure seccomp profiles Affecting Deployment service in Kubernetes
Severity Framework
Snyk CCSS
Rule category
Containers / Best Practices
Is your enviroment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsFrameworks
CIS-Controls
- Snyk ID SNYK-CC-00639
- credit Snyk Research Team
Description
Pods will be able to start with seccomp disabled.
How to fix?
Ensure seccomp.security.alpha.kubernetes.io/allowedProfileNames
annotation does not contain unconfined
or *
.
Example Configuration
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: example
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
spec:
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
runAsUser:
rule: RunAsAny
fsGroup:
rule: RunAsAny
requiredDropCapabilities:
- all