Template 09: Seccomp Profile | K8s Security Pro

Overview

This template provides three approaches to seccomp filtering: the RuntimeDefault profile (recommended baseline for all workloads), a custom strict deny-by-default profile (for sensitive workloads handling PII or financial data), and a Security Profiles Operator (SPO) managed SeccompProfile resource for automated distribution.

Security threat addressed: Without seccomp, containers can make any system call to the Linux kernel. Dangerous syscalls like unshare, mount, and ptrace enable container escapes, kernel exploits, and privilege escalation.

When to use: Apply RuntimeDefault to every workload as a baseline. Use the custom strict profile for workloads that process sensitive data and need maximum kernel attack surface reduction.

Threat Model

Container escape prevention: Blocking unshare and setns prevents namespace manipulation attacks (e.g., CVE-2022-0185).
Kernel attack surface reduction: The custom profile allows only ~130 necessary syscalls out of 300+ available, blocking all dangerous categories.
Rootkit prevention: Blocking init_module and finit_module prevents kernel module loading from within containers.
Debug/injection blocking: Blocking ptrace prevents process debugging and code injection attacks.

MITRE ATT&CK:

T1611 — Escape to Host: Unrestricted syscalls (e.g., unshare, keyctl, mount) enable kernel exploits and container escape.

Real-world scenario: An attacker exploits a vulnerability and attempts to use the unshare syscall to create a new user namespace for container escape (CVE-2022-0185). The seccomp profile blocks the syscall, preventing the escape entirely.

YAML Source

# OPTION 1: Pod using RuntimeDefault seccomp profile (RECOMMENDED BASELINE)
apiVersion: v1
kind: Pod
metadata:
  name: seccomp-runtime-default-example
  namespace: default
  labels:
    app.kubernetes.io/name: k8s-security
    app.kubernetes.io/part-of: k8s-security-pro
    app.kubernetes.io/managed-by: k8s-security-pro
    app: seccomp-demo
spec:
  securityContext:
    seccompProfile:
      type: RuntimeDefault
    runAsNonRoot: true
    runAsUser: 1000
    runAsGroup: 1000
    fsGroup: 1000
  containers:
    - name: app
      image: registry.example.com/app:v1.2.3
      securityContext:
        allowPrivilegeEscalation: false
        readOnlyRootFilesystem: true
        capabilities:
          drop: ["ALL"]
# ... truncated -- get full template with custom JSON profile, SPO SeccompProfile,
# and blocked syscall categories at k8s-security.pro/pricing

Get the complete template with the custom strict JSON profile (130+ allowed syscalls), SPO SeccompProfile CRD, and detailed blocked syscall documentation in the Starter tier.

Installation

kubectl:

kubectl apply -f 09_seccomp_profile.yaml

Helm:

helm install k8s-security ./charts/k8s-security -f values-prod.yaml

Kustomize:

kubectl apply -k kustomize/overlays/prod

Verification

# Check seccomp profile on running pods
kubectl get pods -A -o jsonpath='{range .items[*]}{.metadata.namespace}{"/"}{.metadata.name}{"\t"}{.spec.securityContext.seccompProfile.type}{"\n"}{end}'

# Verify pod is using RuntimeDefault
kubectl get pod seccomp-runtime-default-example -o jsonpath='{.spec.securityContext.seccompProfile}'

# Test that a blocked syscall fails (if using custom profile)
kubectl exec <pod-name> -- unshare --user 2>&1
# Expected: Operation not permitted

# Check SPO SeccompProfile status (if using SPO)
kubectl get seccompprofiles -A

CIS Benchmark References

5.2.12 — Minimize the admission of containers without a configured seccomp profile. This template provides three approaches to ensure every container has seccomp filtering.

MITRE ATT&CK References

T1611 — Escape to Host: Unrestricted syscalls enable container escape via kernel exploits. Seccomp profiles block the dangerous syscalls (unshare, mount, ptrace, keyctl) used in these attacks.

Seccomp Profile