lacework-global-789
Set the seccomp profile to docker/default in the pod definitions (Manual)
Description
Enable docker/default seccomp profile in the pod definitions.
Remediation
Seccomp
is an alpha feature currently, which you can enable in the apiserver by passing the --feature-gates=AllAlpha=true
argument.
Edit the /etc/kubernetes/apiserver
file on the master node and set the KUBE_API_ARGS
parameter to --feature-gates=AllAlpha=true
KUBE_API_ARGS="--feature-gates=AllAlpha=true"
Based on the system, restart the kube-apiserver service using, for example:
systemctl restart kube-apiserver.service
Use annotations to enable the docker/default seccomp profile in the pod definitions.
Below is an example:
apiVersion: v1
kind: Pod
metadata:
name: trustworthy-pod
annotations:
seccomp.security.alpha.kubernetes.io/pod: docker/default
spec:
containers:
- name: trustworthy-container
image: sotrustworthy:latest
References
https://kubernetes.io/docs/tutorials/security/seccomp/
https://kubernetes.io/docs/concepts/workloads/pods/
https://kubernetes.io/docs/concepts/overview/components/#kube-apiserver