1.6.4 Ensure that the seccomp profile is set to docker/default in your pod definitions

Information

Enable 'docker/default' seccomp profile in your pod definitions.

Rationale:

Seccomp (secure computing mode) is used to restrict the set of system calls applications can make, allowing cluster administrators greater control over the security of workloads running in the cluster. Kubernetes disables seccomp profiles by default for historical reasons. You should enable it to ensure that the workloads have restricted actions available within the container.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you would need to enable alpha features in the apiserver by passing '--feature-gates=AllAlpha=true' argument.

Edit the '/etc/kubernetes/apiserver' file on the master node and set the 'KUBE_API_ARGS' parameter to '--feature-gates=AllAlpha=true'

KUBE_API_ARGS='--feature-gates=AllAlpha=true'

Based on your system, restart the 'kube-apiserver' service. For example:

systemctl restart kube-apiserver.service

Use 'annotations' to enable the 'docker/default' seccomp profile in your pod definitions. An example is as below:

apiVersion: v1
kind: Pod
metadata:
name: trustworthy-pod
annotations:
seccomp.security.alpha.kubernetes.io/pod: docker/default
spec:
containers:
- name: trustworthy-container
image: sotrustworthy:latest

Impact:

If the 'docker/default' seccomp profile is too restrictive for you, you would have to create/manage your own seccomp profiles. Also, you need to enable all alpha features for this to work. There is no individual switch to turn on this feature.

See Also

https://workbench.cisecurity.org/files/2125