Seccomp Profile Is Not Configured
- Query id: f377b83e-bd07-4f48-a591-60c82b14a78b
- Query name: Seccomp Profile Is Not Configured
- Platform: Kubernetes
- Severity: Medium
- Category: Insecure Configurations
- CWE: 665
- URL: Github
Description¶
Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
apiVersion: v1
kind: Pod
metadata:
name: pod-test-1
spec:
containers:
- name: foobar
image: foo/bar:latest
---
apiVersion: v1
kind: Pod
metadata:
name: pod-test-2
annotations:
some-annotation: myannotation
spec:
containers:
- name: foobar
image: foo/bar:latest
---
apiVersion: v1
kind: Pod
metadata:
name: pod-test-3
annotations:
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'rntim/dfl'
spec:
containers:
- name: foobar
image: foo/bar:latest
---
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: hello
spec:
schedule: "*/1 * * * *"
jobTemplate:
spec:
template:
metadata:
annotations:
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'rntim/dfl'
spec:
containers:
- name: hello
image: busybox
imagePullPolicy: IfNotPresent
args:
- /bin/sh
- -c
- date; echo Hello from the Kubernetes cluster
restartPolicy: OnFailure
Positive test num. 2 - yaml file
apiVersion: apps/v1
kind: Deployment
metadata:
name: securitydemo
labels:
app: web
spec:
replicas: 2
selector:
matchLabels:
app: web
template:
metadata:
labels:
app: web
spec:
securityContext:
runAsUser: 19000
containers:
- name: frontend
image: nginx
ports:
- containerPort: 80
securityContext:
allowPrivilegeEscalation: false
- name: echoserver
image: k8s.gcr.io/echoserver:1.4
ports:
- containerPort: 8080
securityContext:
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
Positive test num. 3 - yaml file
apiVersion: apps/v1
kind: Deployment
metadata:
name: securitydemo
labels:
app: web
spec:
replicas: 2
selector:
matchLabels:
app: web
template:
metadata:
labels:
app: web
spec:
securityContext:
runAsUser: 19000
containers:
- name: frontend
image: nginx
ports:
- containerPort: 80
securityContext:
allowPrivilegeEscalation: false
- name: echoserver
image: k8s.gcr.io/echoserver:1.4
ports:
- containerPort: 8080
securityContext:
allowPrivilegeEscalation: false
seccompProfile:
type: Unconfined
Positive test num. 4 - yaml file
apiVersion: apps/v1
kind: Deployment
metadata:
name: securitydemo
labels:
app: web
spec:
replicas: 2
selector:
matchLabels:
app: web
template:
metadata:
labels:
app: web
spec:
securityContext:
runAsUser: 19000
seccompProfile:
type: RuntimeDefault
containers:
- name: frontend
image: nginx
ports:
- containerPort: 80
securityContext:
allowPrivilegeEscalation: false
- name: echoserver
image: k8s.gcr.io/echoserver:1.4
ports:
- containerPort: 8080
securityContext:
allowPrivilegeEscalation: false
seccompProfile:
type: Unconfined
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
apiVersion: v1
kind: Pod
metadata:
name: pod-test-1
annotations:
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
spec:
containers:
- name: foobar
image: foo/bar:latest
Negative test num. 2 - yaml file
apiVersion: apps/v1
kind: Deployment
metadata:
name: securitydemo
labels:
app: web
spec:
replicas: 2
selector:
matchLabels:
app: web
template:
metadata:
labels:
app: web
spec:
securityContext:
runAsUser: 19000
seccompProfile:
type: RuntimeDefault
containers:
- name: frontend
image: nginx
ports:
- containerPort: 80
securityContext:
allowPrivilegeEscalation: false
- name: echoserver
image: k8s.gcr.io/echoserver:1.4
ports:
- containerPort: 8080
securityContext:
allowPrivilegeEscalation: false
Negative test num. 3 - yaml file
apiVersion: apps/v1
kind: Deployment
metadata:
name: securitydemo
labels:
app: web
spec:
replicas: 2
selector:
matchLabels:
app: web
template:
metadata:
labels:
app: web
spec:
securityContext:
runAsUser: 19000
containers:
- name: frontend
image: nginx
ports:
- containerPort: 80
securityContext:
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
- name: echoserver
image: k8s.gcr.io/echoserver:1.4
ports:
- containerPort: 8080
securityContext:
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault