Documentation: How to install a seccomp profile

[CodeClinch]

Description

The seccomp profile "docker/default" is available on Kubernetes hosts. With Karydia it is possible to select also other profiles. How could the profiles be installed on a node? The solution should be described.

User Story

As a user I want to use a custom seccomp profile in order to restrict the access to the node.

[OPTIONAL] Implementation idea

[Neumann-Nils]

How to use custom seccomp profile with Docker

1. Create your own custom seccomp profile (this one allows all syscalls except chmod):

   {
   "defaultAction": "SCMP_ACT_ALLOW",
   "architectures": [
       "SCMP_ARCH_X86_64",
       "SCMP_ARCH_X86",
       "SCMP_ARCH_X32"
   ],
   "syscalls": [
       {
           "names": [
               "chmod"
           ],
           "action": "SCMP_ACT_ERRNO",
           "args": [],
           "comment": "",
           "includes": {},
           "excludes": {}
       }
   ]
   }

   More examples can be found here:

   • https://github.com/moby/moby/blob/master/profiles/seccomp/default.json
   • https://github.com/docker/labs/tree/master/security/seccomp/seccomp-profiles

2. Run an docker container with the created seccomp profile

   docker container run -it --rm --security-opt seccomp=test_seccomp.json alpine sh

3. Test the seccomp profile (e.g. try out blocked syscalls)

[Neumann-Nils]

How to use custom seccomp profile with Kubernetes

To bind a specific profile to a Pod, you can use the following alpha annotations:

• Specify a Seccomp profile for all containers of the Pod: seccomp.security.alpha.kubernetes.io/pod
• Specify a Seccomp profile for an individual container: container.seccomp.security.alpha.kubernetes.io/${container_name}

For the value of the annotation you can use on of the following contents:

Value	Description
runtime/default	the default profile for the container runtime
unconfined	unconfined profile, disable Seccomp sandboxing
localhost/profile-name	the profile installed to the node’s local seccomp profile root

If you want to use use custom profiles (prefixed with "localhost/"), you have to copy these to all worker nodes in your cluster. The default folder for profiles is "/var/lib/kubelet/seccomp".

[Neumann-Nils]

Main open question:

• How to place a custom seccomp profile on the nodes?