lacework-global-789

Set the seccomp profile to docker/default in the pod definitions (Manual)

Description

Enable docker/default seccomp profile in the pod definitions.

Remediation

Seccomp is an alpha feature currently, which you can enable in the apiserver by passing the --feature-gates=AllAlpha=true argument.

Edit the /etc/kubernetes/apiserver file on the master node and set the KUBE_API_ARGS parameter to --feature-gates=AllAlpha=true

KUBE_API_ARGS="--feature-gates=AllAlpha=true"

Based on the system, restart the kube-apiserver service using, for example:

systemctl restart kube-apiserver.service

Use annotations to enable the docker/default seccomp profile in the pod definitions.

Below is an example:

apiVersion: v1
kind: Pod
metadata:
  name: trustworthy-pod
  annotations:
  seccomp.security.alpha.kubernetes.io/pod: docker/default
spec:
  containers:
    - name: trustworthy-container
      image: sotrustworthy:latest

References

https://kubernetes.io/docs/tutorials/security/seccomp/
https://kubernetes.io/docs/concepts/workloads/pods/
https://kubernetes.io/docs/concepts/overview/components/#kube-apiserver

Set the seccomp profile to docker/default in the pod definitions (Manual)​

Description​

Remediation​

References​

Set the seccomp profile to docker/default in the pod definitions (Manual)

Description

Remediation

References