Policy allows insecure seccomp profiles Affecting Deployment service in Kubernetes


Severity

0.0
medium
0
10
    Severity Framework
    Snyk CCSS
    Rule category
    Containers / Best Practices

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
    Frameworks
    CIS-Controls
  • Snyk ID SNYK-CC-00639
  • credit Snyk Research Team

Description

Pods will be able to start with seccomp disabled.

How to fix?

Ensure seccomp.security.alpha.kubernetes.io/allowedProfileNames annotation does not contain unconfined or *.

Example Configuration

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: example
  annotations:
    seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
spec:
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  runAsUser:
    rule: RunAsAny
  fsGroup:
    rule: RunAsAny 
  requiredDropCapabilities:
    - all