kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Improved the content Flow.

pull/39109/head
shubham82 2023-01-26 11:26:52 +09:00
parent 210116688f
commit 07995d0fab
1 changed files with 37 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

74
content/en/docs/tutorials/security/seccomp.md
View File

@ -265,6 +265,43 @@ docker exec -it kind-worker bash -c \
} }
``` ```
## Create Pod that uses the container runtime default seccomp profile
Most container runtimes provide a sane set of default syscalls that are allowed
or not. You can adopt these defaults for your workload by setting the seccomp
type in the security context of a pod or container to `RuntimeDefault`.
{{< note >}}
If you have the `SeccompDefault` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/) enabled, then Pods use the `RuntimeDefault` seccomp profile whenever
no other seccomp profile is specified. Otherwise, the default is `Unconfined`.
{{< /note >}}
Here's a manifest for a Pod that requests the `RuntimeDefault` seccomp profile
for all its containers:
{{< codenew file="pods/security/seccomp/ga/default-pod.yaml" >}}
Create that Pod:
```shell
kubectl apply -f https://k8s.io/examples/pods/security/seccomp/ga/default-pod.yaml
```
```shell
kubectl get pod default-pod
```
The Pod should be showing as having started successfully:
```
NAME READY STATUS RESTARTS AGE
default-pod 1/1 Running 0 20s
```
Finally, now that you saw that work OK, clean up:
```shell
kubectl delete pod default-pod --wait --now
```
## Create a Pod with a seccomp profile for syscall auditing ## Create a Pod with a seccomp profile for syscall auditing
To start off, apply the `audit.json` profile, which will log all syscalls of the To start off, apply the `audit.json` profile, which will log all syscalls of the
@ -493,43 +530,6 @@ kubectl delete service fine-pod --wait
kubectl delete pod fine-pod --wait --now kubectl delete pod fine-pod --wait --now
``` ```
## Create Pod that uses the container runtime default seccomp profile
Most container runtimes provide a sane set of default syscalls that are allowed
or not. You can adopt these defaults for your workload by setting the seccomp
type in the security context of a pod or container to `RuntimeDefault`.
{{< note >}}
If you have the `SeccompDefault` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/) enabled, then Pods use the `RuntimeDefault` seccomp profile whenever
no other seccomp profile is specified. Otherwise, the default is `Unconfined`.
{{< /note >}}
Here's a manifest for a Pod that requests the `RuntimeDefault` seccomp profile
for all its containers:
{{< codenew file="pods/security/seccomp/ga/default-pod.yaml" >}}
Create that Pod:
```shell
kubectl apply -f https://k8s.io/examples/pods/security/seccomp/ga/default-pod.yaml
```
```shell
kubectl get pod default-pod
```
The Pod should be showing as having started successfully:
```
NAME READY STATUS RESTARTS AGE
default-pod 1/1 Running 0 20s
```
Finally, now that you saw that work OK, clean up:
```shell
kubectl delete pod default-pod --wait --now
```
## {{% heading "whatsnext" %}} ## {{% heading "whatsnext" %}}
You can learn more about Linux seccomp: You can learn more about Linux seccomp: