5.7.2 Ensure that the seccomp profile is set to docker/default in your pod definitions

Information

Enable docker/default seccomp profile in your pod definitions.

Seccomp (secure computing mode) is used to restrict the set of system calls applications can make, allowing cluster administrators greater control over the security of workloads running in the cluster. Kubernetes disables seccomp profiles by default for historical reasons. You should enable it to ensure that the workloads have restricted actions available within the container.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Use security context to enable the docker/default seccomp profile in your pod definitions. An example is as below:

securityContext:
seccompProfile:
type: RuntimeDefault

Impact:

If the docker/default seccomp profile is too restrictive for you, you would have to create/manage your own seccomp profiles.

See Also

https://workbench.cisecurity.org/benchmarks/17568

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, 800-53|CM-7, CSCv7|5.2

Plugin: Unix

Control ID: ab466103ea7cabaa11cb54f9277f33e8dde0a5b3b175dea5d601f687d8a9dc06