Benchmark: 5.7.2 Ensure that the seccomp profile is set to docker/default in your Pod definitions
Description
Enable docker/default seccomp profile in your pod definitions.
Seccomp (secure computing mode) is used to restrict the set of system calls applications can make, allowing cluster administrators greater control over the security of workloads running in the cluster. Kubernetes disables seccomp profiles by default for historical reasons. You should enable it to ensure that the workloads have restricted actions available within the container.
Remediation
Use security context to enable the docker/default seccomp profile in your pod definitions. An example is as below:
securityContext: seccompProfile: type: RuntimeDefault
Default Value: By default, seccomp profile is set to unconfined which means that no seccomp profiles are enabled.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-kubernetes-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select 5.7.2 Ensure that the seccomp profile is set to docker/default in your Pod definitions.
Run this benchmark in your terminal:
powerpipe benchmark run kubernetes_compliance.benchmark.cis_v170_5_7_2Snapshot and share results via Turbot Pipes:
powerpipe benchmark run kubernetes_compliance.benchmark.cis_v170_5_7_2 --shareControls
- Seccomp profile is set to docker/default in CronJob definition
- Seccomp profile is set to docker/default in DaemonSet definition
- Seccomp profile is set to docker/default in Deployment definition
- Seccomp profile is set to docker/default in Job definition
- Seccomp profile is set to docker/default in your Pods
- Seccomp profile is set to docker/default in your ReplicaSet definition
- Seccomp profile is set to docker/default in your Replication Controller definition
- Seccomp profile is set to docker/default in your StatefulSet definition