Closed NissesSenap closed 2 years ago
So I have verified that the pathTests
config works as intended.
Creating the below pod will use the defined seccompProfile of Unconfined
. But if i don't define anything it will set
securityContext:
seccompProfile:
type: RuntimeDefault
apiVersion: v1
kind: Pod
metadata:
name: debug2
namespace: lab
spec:
securityContext:
seccompProfile:
type: Unconfined
containers:
- command:
- /bin/sh
resources:
requests:
memory: "16Mi"
cpu: "10m"
limits:
memory: "64Mi"
cpu: "100m"
image: alpine:latest
name: container-00
tty: true
Trying to find exactly what RuntimeDefault includes. I found it for docker: https://docs.docker.com/engine/security/seccomp/#significant-syscalls-blocked-by-the-default-profile I reached out in the kubernetes security slack and lets see if I get some reply there.
Got a reply on my question in slack.
AFAIK runtime/default seccomp profile is defined by the CRI (so Docker, ContainerD, CRI-O). I've not seen a comparison of the available CRIs to know if there are any differences or if they all use the same list.
This is probably the one used in containerd. https://github.com/containerd/containerd/blob/main/contrib/seccomp/seccomp_default.go
Migrate all 3 changes in to seperate PR:s https://github.com/XenitAB/gatekeeper-library/pull/66 update upstream https://github.com/XenitAB/gatekeeper-library/pull/67 remove CAP_SYS_ADMIN https://github.com/XenitAB/gatekeeper-library/pull/68 add seccomp
Not only drop NET_RAW but also CAP_SYS_ADMIN. Also add a default config for seccompProfile depending if something else is defined.
Solves: https://github.com/XenitAB/gatekeeper-library/issues/62 and https://github.com/XenitAB/gatekeeper-library/issues/63
It seems to come changes on the CRD version even if: https://github.com/XenitAB/gatekeeper-library/pull/61 was merged. Maybe everything wasn't fixed upstream.