4.6.2 Ensure that the seccomp profile is set to docker/default in your pod definitions

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Enable docker/default seccomp profile in your pod definitions.

Rationale:

Seccomp (secure computing mode) is used to restrict the set of system calls applications can make, allowing cluster administrators greater control over the security of workloads running in the cluster. Kubernetes disables seccomp profiles by default for historical reasons. You should enable it to ensure that the workloads have restricted actions available within the container.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you would need to enable alpha features in the apiserver by passing '--feature-gates=AllAlpha=true' argument.
Edit the /etc/kubernetes/apiserver file on the master node and set the KUBE_API_ARGS parameter to '--feature-gates=AllAlpha=true'

KUBE_API_ARGS='--feature-gates=AllAlpha=true'

Based on your system, restart the kube-apiserver service. For example:

systemctl restart kube-apiserver.service

Use annotations to enable the docker/default seccomp profile in your pod definitions. An example is as below:

apiVersion: v1
kind: Pod
metadata:
name: trustworthy-pod
annotations:
seccomp.security.alpha.kubernetes.io/pod: docker/default
spec:
containers:
- name: trustworthy-container
image: sotrustworthy:latest

Impact:

If the docker/default seccomp profile is too restrictive for you, you would have to create/manage your own seccomp profiles. Also, you need to enable all alpha features for this to work. There is no individual switch to turn on this feature.

Default Value:

By default, seccomp profile is set to unconfined which means that no seccomp profiles are enabled.

See Also

https://workbench.cisecurity.org/files/2764