kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Reword seccomp paragraph to remove alpha feature reference 

Fix capitalization
pull/41948/head
Marcelo Giles 2023-07-08 13:15:29 -07:00
parent a9725c1149
commit 3581bb036d
No known key found for this signature in database
GPG Key ID: F79A638016E48DFE
1 changed files with 14 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
content/en/docs/concepts/security/security-checklist.md
View File

@ -97,6 +97,7 @@ For restricted LoadBalancer and ExternalIPs use, see
[CVE-2020-8554: Man in the middle using LoadBalancer or ExternalIPs](https://github.com/kubernetes/kubernetes/issues/97076)
and the [DenyServiceExternalIPs admission controller](/docs/reference/access-authn-authz/admission-controllers/#denyserviceexternalips)
for further information.
## Pod security
- [ ] RBAC rights to `create`, `update`, `patch`, `delete` workloads is only granted if necessary.
@ -153,23 +154,20 @@ Memory limit superior to request can expose the whole node to OOM issues.
### Enabling Seccomp
Seccomp can improve the security of your workloads by reducing the Linux kernel
syscall attack surface available inside containers. The seccomp filter mode
leverages BPF to create an allow or deny list of specific syscalls, named
profiles. Those seccomp profiles can be enabled on individual workloads,
[a security tutorial is available](/docs/tutorials/security/seccomp/). In
addition, the [Kubernetes Security Profiles Operator](https://github.com/kubernetes-sigs/security-profiles-operator)
is a project to facilitate the management and use of seccomp in clusters.
Seccomp stands for secure computing mode and has been a feature of the Linux kernel since version 2.6.12.
It can be used to sandbox the privileges of a process, restricting the calls it is able to make
from userspace into the kernel. Kubernetes lets you automatically apply seccomp profiles loaded onto
a node to your Pods and containers.
For historical context, please note that Docker has been using
[a default seccomp profile](https://docs.docker.com/engine/security/seccomp/)
to only allow a restricted set of syscalls since 2016 from
[Docker Engine 1.10](https://www.docker.com/blog/docker-engine-1-10-security/),
but Kubernetes is still not confining workloads by default. The default seccomp
profile can be found [in containerd](https://github.com/containerd/containerd/blob/main/contrib/seccomp/seccomp_default.go)
as well. Fortunately, [Seccomp Default](/blog/2021/08/25/seccomp-default/), a
new alpha feature to use a default seccomp profile for all workloads can now be
enabled and tested.
Seccomp can improve the security of your workloads by reducing the Linux kernel syscall attack
surface available inside containers. The seccomp filter mode leverages BPF to create an allow or
deny list of specific syscalls, named profiles.
Since Kubernetes 1.27, you can enable the use of `RuntimeDefault` as the default seccomp profile
for all workloads. A [security tutorial](/docs/tutorials/security/seccomp/) is available on this
topic. In addition, the
[Kubernetes Security Profiles Operator](https://github.com/kubernetes-sigs/security-profiles-operator)
is a project that facilitates the management and use of seccomp in clusters.
{{< note >}}
Seccomp is only available on Linux nodes.