Apply a Seccomp profile to containers - Security Practices for Multi-Tenant SaaS Applications using Amazon EKS

Apply a Seccomp profile to containers

Seccomp is a Linux kernel feature that restricts programs from making unauthorized system calls, or syscalls. Syscalls are how programs interact with the Linux kernel. For example, a program that wants to write to standard output might use the write(2) syscall. Many syscalls are harmless, but others can be used to escalate privileges, adjust kernel settings, or perform other undesirable actions.

By default, containers will be run “unconfined,” which allows them to invoke any syscall. Instead, AWS recommends enabling the default Seccomp profile provided by the container runtime. This profile allows most system calls, but excludes some that are considered high risk. See Seccomp security profiles for Docker for a list of default permitted and denied syscalls.

To enable this profile, in each Pod or container’s SecurityContext, specify a seccompProfile with a type of RuntimeDefault. See Set the Seccomp Profile for a Container for more information.

It is also possible to run a container with a custom Seccomp profile. This can be used to further restrict the syscalls that may be invoked, or permit syscalls that would otherwise be forbidden. Tools such as strace(1) or Sysdig Inspect can be used to determine which syscalls an application makes.