4.2.14 Ensure that the --seccomp-default parameter is set to true

Information

Ensure that the Kubelet enforces the use of the RuntimeDefault seccomp profile

By default, Kubernetes disables the seccomp profile which ships with most container runtimes. Setting this parameter will ensure workloads running on the node are protected by the runtime's seccomp profile.

Solution

Set the parameter, either via the --seccomp-default command line parameter or the seccompDefault configuration file setting.

Impact:

Setting this will remove some rights from pods running on the node.

See Also

https://workbench.cisecurity.org/benchmarks/21709

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-4, CSCv7|5.1, CSCv7|5.2, CSCv7|11.4

Plugin: Unix

Control ID: 8faa95955ed72b9d4992efb7de7015601b5b2af13c6efbe582d3b033b6de68d0