Configuring seccomp profiles

    OpenShift ships with a default seccomp profile that is referenced as . You can enable the default seccomp profile for a pod or container workload by setting RuntimeDefault as following:

    Example

    Alternatively, you can use the pod annotations and container.seccomp.security.alpha.kubernetes.io/<container_name>: runtime/default. However, this method is deprecated in OKD 4.7.

    You can configure a custom seccomp profile, which allows you to update the filters based on the application requirements. This allows cluster administrators to have greater control over the security of workloads running in OpenShift Container Platform.

    Prerequisite

    • You have cluster administrator permissions.

    • You have created a custom seccomp profile.

    Procedure

    1. Upload your custom seccomp profile to by using the Machine Config. See “Additional resources” for detailed steps.

    Applying the custom seccomp profile to the workload

    Prerequisite

    • The cluster administrator has set up the custom seccomp profile. For more details, see “Setting up the custom seccomp profile”.

    Procedure

    • Apply the seccomp profile to the workload by setting the securityContext.seccompProfile.type field as following:

      Example

    During deployment, the admission controller validates the following:

    • The annotations against the current SCCs allowed by the user role.

    • The SCC, which includes the seccomp profile, is allowed for the pod.

    If the SCC is allowed for the pod, the kubelet runs the pod with the specified seccomp profile.