Apply a Seccomp profile to containers
Seccompwrite(2)
syscall. Many syscalls are harmless, but
others can be used to escalate privileges, adjust kernel settings, or perform other
undesirable actions.
By default, containers will be run “unconfined,” which allows them to invoke any syscall.
Instead, AWS recommends enabling the default Seccomp profile provided by the container
runtime. This profile allows most system calls, but excludes some that are considered high
risk. See Seccomp security profiles for Docker
To enable this profile, in each Pod or container’s SecurityContext
, specify
a seccompProfile
with a type of RuntimeDefault
. See Set the Seccomp Profile for a Container
It is also possible to run a container with a custom Seccomp profile. This can be used to
further restrict the syscalls that may be invoked, or permit syscalls that would otherwise be
forbidden. Tools such as strace(1)
or Sysdig Inspect