Member-only story
Secure Your Kubernetes Cluster With Seccomp
A hands-on guide to applying the principle of least-privilege on container’s syscalls
Kubernetes has been there for a while, and it has since been very popular with tech enthusiasts as well as serious businesses. While it seeks to improve the way we deploy and run applications, and it’s a quantum leap in itself, it is a relatively new technology taking steps to mature. A particular focus of Kubernetes has always been security, and there are multiple ways we can tackle it. One such method is by using Seccomp.
Seccomp stands for secure computing and is a standard Linux Kernel feature since version 2.6.12. It allows you to restrict permissions of a particular process using syscall filters only to allow system calls it is permitted to make.
That is particularly helpful when we want to reduce our container’s attack surface. For example, if a container only renders static web pages, there is no need for it to have write access to your filesystem. Likewise, most containers do not need access to commands such as reboot or change the system configuration.
You can collate multiple features into Seccomp profiles and apply the profile to your process. Container runtimes like Docker use this feature by default and provide the RuntimeDefault seccomp policy that applies to every container that it runs. However, when we run Kubernetes, it replaces the default seccomp profile with Unconfined that does not restrict any system call.
Now, this is a security loophole that cybercriminals can exploit. Therefore, Kubernetes has allowed us to use Seccomp from v1.19. There are few alpha features on Kubernetes v1.22 that will enable us to apply the Seccomp policy by default on all workloads of the Kubernetes cluster that we will also explore in this tutorial.
Prerequisites
You would need a Linux machine with Docker CE and KinD installed for this exercise. You would also need to fork this repository and clone & cd into it.
Bootstrapping a Kubernetes Cluster Without Default Seccomp Profiles
As the default Seccomp policy is an alpha feature and only available in…
