Managing seccomp profiles

Create and manage seccomp profiles and bind them to workloads.

Creating seccomp profiles

Use the SeccompProfile object to create profiles.

SeccompProfile objects can restrict syscalls within a container, limiting the access of your application.

Procedure

  • Create the SeccompProfile object:

    1. apiVersion: security-profiles-operator.x-k8s.io/v1beta1
    2. kind: SeccompProfile
    3. metadata:
    4. namespace: my-namespace
    5. name: profile1
    6. spec:
    7. defaultAction: SCMP_ACT_LOG

The seccomp profile will be saved in /var/lib/kubelet/seccomp/operator/<namespace>/<name>.json.

An init container creates the root directory of the Security Profiles Operator to run the Operator without root group or user ID privileges. A symbolic link is created from the rootless profile storage /var/lib/openshift-security-profiles to the default seccomp root path inside of the kubelet root /var/lib/kubelet/seccomp/operator.

Applying seccomp profiles to a pod

Create a pod to apply one of the created profiles.

Procedure

  1. Create a pod object that defines a securityContext:

    1. apiVersion: v1
    2. kind: Pod
    3. metadata:
    4. name: test-pod
    5. spec:
    6. securityContext:
    7. seccompProfile:
    8. type: Localhost
    9. localhostProfile: operator/my-namespace/profile1.json
    10. containers:
    11. - name: test-container
    12. image: quay.io/security-profiles-operator/test-nginx-unprivileged:1.21
  2. View the profile path of the seccompProfile.localhostProfile attribute by running the following command:

    1. $ oc -n my-namespace get seccompprofile profile1 --output wide

    Example output

    1. NAME STATUS AGE SECCOMPPROFILE.LOCALHOSTPROFILE
    2. profile1 Active 14s operator/my-namespace/profile1.json
  3. View the path to the localhost profile by running the following command:

    1. $ oc get sp profile1 --output=jsonpath='{.status.localhostProfile}'

    Example output

    1. operator/my-namespace/profile1.json
  4. Apply the localhostProfile output to the patch file:

    1. spec:
    2. template:
    3. spec:
    4. securityContext:
    5. seccompProfile:
    6. type: Localhost
    7. localhostProfile: operator/my-namespace/profile1.json
  5. Apply the profile to a Deployment object by running the following command:

    1. $ oc -n my-namespace patch deployment myapp --patch-file patch.yaml --type=merge

    Example output

    1. deployment.apps/myapp patched

Verification

  • Confirm the profile was applied correctly by running the following command:

    1. $ oc -n my-namespace get deployment myapp --output=jsonpath='{.spec.template.spec.securityContext}' | jq .

    Example output

    1. {
    2. "seccompProfile": {
    3. "localhostProfile": "operator/my-namespace/profile1.json",
    4. "type": "localhost"
    5. }
    6. }

Binding workloads to profiles with ProfileBindings

You can use the ProfileBinding resource to bind a security profile to the SecurityContext of a container.

Procedure

  1. To bind a pod that uses a quay.io/security-profiles-operator/test-nginx-unprivileged:1.21 image to the example SeccompProfile profile, create a ProfileBinding object in the same namespace with the pod and the SeccompProfile objects:

    1. apiVersion: security-profiles-operator.x-k8s.io/v1alpha1
    2. kind: ProfileBinding
    3. metadata:
    4. namespace: my-namespace
    5. name: nginx-binding
    6. spec:
    7. profileRef:
    8. kind: SeccompProfile (1)
    9. name: profile (2)
    10. image: quay.io/security-profiles-operator/test-nginx-unprivileged:1.21
    1The kind: variable refers to the name of the profile.
    2The name: variable refers to the name of the profile.
  2. Label the namespace with enable-binding=true by running the following command:

    1. $ oc label ns my-namespace spo.x-k8s.io/enable-binding=true
  3. Delete and re-create the pod to use the ProfileBinding object:

    1. $ oc delete pods test-pod && oc create -f pod01.yaml

Verification

  • Confirm the pod inherits the ProfileBinding by running the following command:

    1. $ oc get pod test-pod -o jsonpath='{.spec.containers[*].securityContext.seccompProfile}'

    Example output

    1. {"localhostProfile":"operator/my-namespace/profile.json","type":"Localhost"}

Recording profiles from workloads

The Security Profiles Operator can record system calls with ProfileRecording objects, making it easier to create baseline profiles for applications.

When using the log enricher for recording seccomp profiles, verify the log enricher feature is enabled. See Additional resources for more information.

A container with privileged: true security context restraints prevents log-based recording. Privileged containers are not subject to seccomp policies, and log-based recording makes use of a special seccomp profile to record events.

Procedure

  1. Label the namespace with enable-recording=true by running the following command:

    1. $ oc label ns my-namespace spo.x-k8s.io/enable-recording=true
  2. Create a ProfileRecording object containing a recorder: logs variable:

    1. apiVersion: security-profiles-operator.x-k8s.io/v1alpha1
    2. kind: ProfileRecording
    3. metadata:
    4. name: test-recording
    5. spec:
    6. kind: SeccompProfile
    7. recorder: logs
    8. podSelector:
    9. matchLabels:
    10. app: my-app
  3. Create a workload to record:

    1. apiVersion: v1
    2. kind: Pod
    3. metadata:
    4. name: my-pod
    5. labels:
    6. app: my-app
    7. spec:
    8. containers:
    9. - name: nginx
    10. image: quay.io/security-profiles-operator/test-nginx-unprivileged:1.21
    11. ports:
    12. - containerPort: 8080
    13. - name: redis
    14. image: quay.io/security-profiles-operator/redis:6.2.1
  4. Confirm the pod is in a Running state by entering the following command:

    1. $ oc -n openshift-security-profiles get pods

    Example output

    1. NAME READY STATUS RESTARTS AGE
    2. my-pod 2/2 Running 0 18s
  5. Confirm the enricher indicates that it receives audit logs for those containers:

    1. $ oc -n openshift-security-profiles logs --since=1m --selector name=spod -c log-enricher

    Example output

    1. I0517 13:55:36.383187 348295 enricher.go:376] log-enricher "msg"="audit" "container"="redis" "namespace"="my-namespace" "node"="ip-10-0-189-53.us-east-2.compute.internal" "perm"="name_bind" "pod"="my-pod" "profile"="test-recording_redis_6kmrb_1684331729" "scontext"="system_u:system_r:selinuxrecording.process:s0:c4,c27" "tclass"="tcp_socket" "tcontext"="system_u:object_r:redis_port_t:s0" "timestamp"="1684331735.105:273965" "type"="seccomp"

Verification

  1. Remove the pod:

    1. $ oc -n openshift-security-profiles delete pod my-pod
  2. Confirm the Security Profiles Operator reconciles the two seccomp profiles:

    1. $ oc get seccompprofiles -n my-namespace

    Example output

    1. NAME USAGE STATE
    2. test-recording-nginx test-recording-nginx_my-namespace.process Installed
    3. test-recording-redis test-recording-redis_my-namespace.process Installed

Merging per-container profile instances

By default, each container instance records into a separate profile. The Security Profiles Operator can merge the per-container profiles into a single profile. Merging profiles is useful when deploying applications using ReplicaSet or Deployment objects.

Procedure

  1. Edit a ProfileRecording object to include a mergeStrategy: containers variable:

    1. apiVersion: security-profiles-operator.x-k8s.io/v1alpha1
    2. kind: ProfileRecording
    3. metadata:
    4. # The name of the Recording is the same as the resulting SeccompProfile CRD
    5. # after reconciliation.
    6. name: test-recording
    7. spec:
    8. kind: SeccompProfile
    9. recorder: logs
    10. mergeStrategy: containers
    11. podSelector:
    12. matchLabels:
    13. app: sp-record
  2. Create the workload:

    1. apiVersion: apps/v1
    2. kind: Deployment
    3. metadata:
    4. name: nginx-deploy
    5. spec:
    6. replicas: 3
    7. selector:
    8. matchLabels:
    9. app: sp-record
    10. template:
    11. metadata:
    12. labels:
    13. app: sp-record
    14. spec:
    15. serviceAccountName: spo-record-sa
    16. containers:
    17. - name: nginx-record
    18. image: quay.io/security-profiles-operator/test-nginx-unprivileged:1.21
    19. ports:
    20. - containerPort: 8080
  3. To record the individual profiles, delete the deployment by running the following command:

    1. $ oc delete deployment nginx-deploy
  4. To merge the profiles, delete the profile recording by running the following command:

    1. $ oc delete profilerecording test-recording
  5. To start the merge operation and generate the results profile, run the following command:

    1. $ oc get seccompprofiles -lspo.x-k8s.io/recording-id=test-recording

    Example output

    1. NAME USAGE STATE
    2. test-recording-nginx-record test-recording-nginx-record_mytest1.process Installed
  6. To view the permissions used by any of the containers, run the following command:

    1. $ oc get seccompprofiles test-recording-nginx-record -o yaml

Additional resources