Policy sets insecure default seccomp profile Affecting Pod Security Policy service in Kubernetes

Snyk CCSS

Containers / Best Practices

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

CIS-Controls CIS-Kubernetes

Snyk ID SNYK-CC-00640
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

Default seccomp profile is set to Unconfined. Containers will run with seccomp disabled.

How to fix?

"Set spec.securityContext.seccompProfile.type to RuntimeDefault.

Example configuration

apiVersion: v1
kind: Container
metadata:
  name: default-container
  labels:
    app: default-container
spec:
  securityContext:
    seccompProfile:
      type: RuntimeDefault
  containers:
  - name: test-container
    image: hashicorp/http-echo:1.0
    args:
    - "-text=just made some more syscalls!"
    securityContext:
      allowPrivilegeEscalation: false

Terraform

kubernetes_pod_security_policy

References

Restrict a Container's Syscalls with seccomp