Seccomp Profile

Introduction

The Seccomp Profile Generator is a new feature designed to enhance the security posture of Kubernetes clusters by automating the generation of Seccomp profiles. Seccomp profiles help restrict the system calls available to containers, reducing the attack surface and mitigating risks associated with malicious activities. For more information, you can read here.

Main view

The Seccomp Profile view displays the current Profile Status of Seccomp configurations for each workload and provides data on syscalls used or unused as a result of the configuration or lack of configuration.

PROFILE STATUSES

  • Missing: No seccomp profile is configured for the workload.
  • Optimized: A seccomp profile is configured, allowing only the syscalls used by workload containers.
  • Overly Permissive: A seccomp profile is configured, allowing more syscalls than the container requires.

SYSCALLS

  • Used: The actual syscalls used by workload containers.
  • Unused:
    • If the seccomp profile is missing, this counts all syscalls that are not used.
    • If the seccomp profile is overly permissive, this counts the syscalls that are configured in the seccomp profile but are not used by the workload containers.

Generating Seccomp Profiles

When the Profile Status is either Missing or Overly Permissive, it is possible to choose the workload and click on the generate icon. This will produce two outputs:

  • Seccomp Profile CRD: A CRD generated by Armosec which holds the seccomp profile configurations for each of the workload's containers and the file path for each of the config files on the host.
  • New (vs Old) Resource to Deploy: A new resource with required changes to point to the correct seccomp profile for each of the workload containers.

Implementing Seccomp Profile in the Cluster

  1. Download and Deploy the Newly Generated Seccomp CRD: Deploying the CRD will generate the actual seccomp config file(s) for each of the workload containers on the host.

  1. Download and Deploy the Workload Fix: After successfully deploying the Seccomp Profile CRD, deploy the new workload fix to enable Seccomp configurations to take effect.