Policy allows insecure seccomp profiles Affecting Deployment service in Kubernetes

Snyk CCSS

Containers / Best Practices

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

CIS-Controls

Snyk ID SNYK-CC-00639
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

Pods will be able to start with seccomp disabled.

How to fix?

Ensure spec.securityContext.seccompProfile.type is not set to Unconfined.

Example Configuration

apiVersion: v1
kind: Pod
metadata:
  name: default-pod
  labels:
    app: default-pod
spec:
  securityContext:
    seccompProfile:
      type: RuntimeDefault
  containers:
  - name: test-container
    image: hashicorp/http-echo:1.0
    args:
    - "-text=just made some more syscalls!"
    securityContext:
      allowPrivilegeEscalation: false

Terraform

kubernetes_pod_security_policy

Policy allows insecure seccomp profiles Affecting Deployment service in Kubernetes

Severity

Description

How to fix?

Example Configuration

Terraform

References