C-0210 - Ensure that the seccomp profile is set to docker/default in your pod definitions
Framework
cis-v1.23-t1.0.1
Severity
Medium
Description of the the issue
Seccomp (secure computing mode) is used to restrict the set of system calls applications can make, allowing cluster administrators greater control over the security of workloads running in the cluster. Kubernetes disables seccomp profiles by default for historical reasons. You should enable it to ensure that the workloads have restricted actions available within the container.
Related resources
CronJob, DaemonSet, Deployment, Job, Pod, ReplicaSet, StatefulSet
What does this control test
Checks if seccomp profile is defined as type RuntimeDefault in security context of workload or container level
How to check it manually
Review the pod definitions in your cluster. It should create a line as below:
securityContext:
seccompProfile:
type: RuntimeDefault
Remediation
Use security context to enable the docker/default
seccomp profile in your pod definitions. An example is as below:
securityContext:
seccompProfile:
type: RuntimeDefault
Impact Statement
If the docker/default
seccomp profile is too restrictive for you, you would have to create/manage your own seccomp profiles.
Default Value
By default, seccomp profile is set to unconfined
which means that no seccomp profiles are enabled.
Example
No example
Updated 11 days ago