Seccomp Profile Is Not Configured

  • Query id: f377b83e-bd07-4f48-a591-60c82b14a78b
  • Query name: Seccomp Profile Is Not Configured
  • Platform: Kubernetes
  • Severity: Medium
  • Category: Insecure Configurations
  • URL: Github

Description

Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
apiVersion: v1
kind: Pod
metadata:
  name: pod-test-1
spec:
  containers:
  - name: foobar
    image: foo/bar:latest
---
apiVersion: v1
kind: Pod
metadata:
  name: pod-test-2
  annotations:
    some-annotation: myannotation
spec:
  containers:
  - name: foobar
    image: foo/bar:latest
---
apiVersion: v1
kind: Pod
metadata:
  name: pod-test-3
  annotations:
    seccomp.security.alpha.kubernetes.io/defaultProfileName: 'rntim/dfl'
spec:
  containers:
  - name: foobar
    image: foo/bar:latest
---
apiVersion: batch/v1beta1
kind: CronJob
metadata:
  name: hello
spec:
  schedule: "*/1 * * * *"
  jobTemplate:
    spec:
      template:
        metadata:
          annotations:
            seccomp.security.alpha.kubernetes.io/defaultProfileName: 'rntim/dfl'
        spec:
          containers:
          - name: hello
            image: busybox
            imagePullPolicy: IfNotPresent
            args:
            - /bin/sh
            - -c
            - date; echo Hello from the Kubernetes cluster
          restartPolicy: OnFailure
Positive test num. 2 - yaml file
apiVersion: apps/v1
kind: Deployment
metadata:
  name: securitydemo
  labels:
    app: web
spec:
  replicas: 2
  selector:
    matchLabels:
      app: web
  template:
    metadata:
      labels:
        app: web
    spec:
      securityContext:
        runAsUser: 19000
      containers:
        - name: frontend
          image: nginx
          ports:
            - containerPort: 80
          securityContext:
            allowPrivilegeEscalation: false
        - name: echoserver
          image: k8s.gcr.io/echoserver:1.4
          ports:
            - containerPort: 8080
          securityContext:
            allowPrivilegeEscalation: false
            seccompProfile:
                type: RuntimeDefault
Positive test num. 3 - yaml file
apiVersion: apps/v1
kind: Deployment
metadata:
  name: securitydemo
  labels:
    app: web
spec:
  replicas: 2
  selector:
    matchLabels:
      app: web
  template:
    metadata:
      labels:
        app: web
    spec:
      securityContext:
        runAsUser: 19000
      containers:
        - name: frontend
          image: nginx
          ports:
            - containerPort: 80
          securityContext:
            allowPrivilegeEscalation: false
        - name: echoserver
          image: k8s.gcr.io/echoserver:1.4
          ports:
            - containerPort: 8080
          securityContext:
            allowPrivilegeEscalation: false
            seccompProfile:
                type: Unconfined

Positive test num. 4 - yaml file
apiVersion: apps/v1
kind: Deployment
metadata:
  name: securitydemo
  labels:
    app: web
spec:
  replicas: 2
  selector:
    matchLabels:
      app: web
  template:
    metadata:
      labels:
        app: web
    spec:
      securityContext:
        runAsUser: 19000
        seccompProfile:
            type: RuntimeDefault
      containers:
        - name: frontend
          image: nginx
          ports:
            - containerPort: 80
          securityContext:
            allowPrivilegeEscalation: false
        - name: echoserver
          image: k8s.gcr.io/echoserver:1.4
          ports:
            - containerPort: 8080
          securityContext:
            allowPrivilegeEscalation: false
            seccompProfile:
                type: Unconfined

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
apiVersion: v1
kind: Pod
metadata:
  name: pod-test-1
  annotations:
    seccomp.security.alpha.kubernetes.io/defaultProfileName:  'runtime/default'
spec:
  containers:
  - name: foobar
    image: foo/bar:latest
Negative test num. 2 - yaml file
apiVersion: apps/v1
kind: Deployment
metadata:
  name: securitydemo
  labels:
    app: web
spec:
  replicas: 2
  selector:
    matchLabels:
      app: web
  template:
    metadata:
      labels:
        app: web
    spec:
      securityContext:
        runAsUser: 19000
        seccompProfile:
            type: RuntimeDefault
      containers:
        - name: frontend
          image: nginx
          ports:
            - containerPort: 80
          securityContext:
            allowPrivilegeEscalation: false
        - name: echoserver
          image: k8s.gcr.io/echoserver:1.4
          ports:
            - containerPort: 8080
          securityContext:
            allowPrivilegeEscalation: false
Negative test num. 3 - yaml file
apiVersion: apps/v1
kind: Deployment
metadata:
  name: securitydemo
  labels:
    app: web
spec:
  replicas: 2
  selector:
    matchLabels:
      app: web
  template:
    metadata:
      labels:
        app: web
    spec:
      securityContext:
        runAsUser: 19000
      containers:
        - name: frontend
          image: nginx
          ports:
            - containerPort: 80
          securityContext:
            allowPrivilegeEscalation: false
            seccompProfile:
                type: RuntimeDefault
        - name: echoserver
          image: k8s.gcr.io/echoserver:1.4
          ports:
            - containerPort: 8080
          securityContext:
            allowPrivilegeEscalation: false
            seccompProfile:
                type: RuntimeDefault