Restricting Application Capabilities Using Seccomp

    Seccomp (secure computing mode) is used to restrict the set of system calls applications can make, allowing cluster administrators greater control over the security of workloads running in OKD.

    Seccomp support is achieved via two annotations in the pod configuration:

    • seccomp.security.alpha.kubernetes.io/pod: profile applies to all containers in the pod that do not override

    • container.seccomp.security.alpha.kubernetes.io/: container-specific profile override

    Containers are run with unconfined seccomp settings by default.

    For detailed design information, refer to the seccomp design document.

    Seccomp is a feature of the Linux kernel. To ensure seccomp is enabled on your system, run:

    1. Create the seccomp profile.

      The is sufficient in many cases, but the cluster administrator must define the security constraints of an individual system.

      To create your own custom profile, create a file on every node in the directory.

      If you are using the default docker/default profile, you do not need to create one.

    2. Restart the node service to apply the changes:

    3. In order to control which profiles may be used, and to set the default profile, configure your SCC via the seccompProfiles field. The first profile will be used as a default.

      • docker/default: the default profile for the container runtime (no profile required)

      • unconfined: unconfined profile, and disables seccomp

    To ensure pods in your cluster run with a custom profile:

    1. Create the seccomp profile in seccomp-profile-root.

    2. Configure seccomp-profile-root:

    4. Configure your SCC: