Configuring seccomp profiles

An OKD container or a pod runs a single application that performs one or more well-defined tasks. The application usually requires only a small subset of the underlying operating system kernel APIs. Secure computing mode, seccomp, is a Linux kernel feature that can be used to limit the process running in a container to only using a subset of the available system calls.

The restricted-v2 SCC applies to all newly created pods in 4. The default seccomp profile runtime/default is applied to these pods.

Seccomp profiles are stored as JSON files on the disk.

Seccomp profiles cannot be applied to privileged containers.

Verifying the default seccomp profile applied to a pod

OKD ships with a default seccomp profile that is referenced as runtime/default. In 4, newly created pods have the Security Context Constraint (SCC) set to restricted-v2 and the default seccomp profile applies to the pod.

Procedure

  1. You can verify the Security Context Constraint (SCC) and the default seccomp profile set on a pod by running the following commands:

    1. Verify what pods are running in the namespace:

      1. $ oc get pods -n <namespace>

      For example, to verify what pods are running in the workshop namespace run the following:

      1. $ oc get pods -n workshop

      Example output

      1. NAME READY STATUS RESTARTS AGE
      2. parksmap-1-4xkwf 1/1 Running 0 2m17s
      3. parksmap-1-deploy 0/1 Completed 0 2m22s
    2. Inspect the pods:

      1. $ oc get pod parksmap-1-4xkwf -n workshop -o yaml

      Example output

      1. apiVersion: v1
      2. kind: Pod
      3. metadata:
      4. annotations:
      5. k8s.v1.cni.cncf.io/network-status: |-
      6. [{
      7. "name": "openshift-sdn",
      8. "interface": "eth0",
      9. "ips": [
      10. "10.131.0.18"
      11. ],
      12. "default": true,
      13. "dns": {}
      14. }]
      15. k8s.v1.cni.cncf.io/network-status: |-
      16. [{
      17. "name": "openshift-sdn",
      18. "interface": "eth0",
      19. "ips": [
      20. "10.131.0.18"
      21. ],
      22. "default": true,
      23. "dns": {}
      24. }]
      25. openshift.io/deployment-config.latest-version: "1"
      26. openshift.io/deployment-config.name: parksmap
      27. openshift.io/deployment.name: parksmap-1
      28. openshift.io/generated-by: OpenShiftWebConsole
      29. openshift.io/scc: restricted-v2 (1)
      30. seccomp.security.alpha.kubernetes.io/pod: runtime/default (2)
      1The restricted-v2 SCC is added by default if your workload does not have access to a different SCC.
      2Newly created pods in 4 will have the seccomp profile configured to runtime/default as mandated by the SCC.

Upgraded cluster

In clusters upgraded to 4 all authenticated users have access to the restricted and restricted-v2 SCC.

A workload admitted by the SCC restricted for example, on a OKD v4.10 cluster when upgraded may get admitted by restricted-v2. This is because restricted-v2 is the more restrictive SCC between restricted and restricted-v2.

The workload must be able to run with retricted-v2.

Conversely with a workload that requires privilegeEscalation: true this workload will continue to have the restricted SCC available for any authenticated user. This is because restricted-v2 does not allow privilegeEscalation.

Newly installed cluster

For newly installed OKD 4.11 or later clusters, the restricted-v2 replaces the restricted SCC as an SCC that is available to be used by any authenticated user. A workload with privilegeEscalation: true, is not admitted into the cluster since restricted-v2 is the only SCC available for authenticated users by default.

The feature privilegeEscalation is allowed by restricted but not by restricted-v2. More features are denied by restricted-v2 than were allowed by restricted SCC.

A workload with privilegeEscalation: true may be admitted into a newly installed OKD 4.11 or later cluster. To give access to the restricted SCC to the ServiceAccount running the workload (or any other SCC that can admit this workload) using a RoleBinding run the following command:

  1. $ oc -n <workload-namespace> adm policy add-scc-to-user <scc-name> -z <serviceaccount_name>

In OKD 4 the ability to add the pod annotations seccomp.security.alpha.kubernetes.io/pod: runtime/default and container.seccomp.security.alpha.kubernetes.io/<container_name>: runtime/default is deprecated.

Configuring a custom seccomp profile

You can configure a custom seccomp profile, which allows you to update the filters based on the application requirements. This allows cluster administrators to have greater control over the security of workloads running in OpenShift Container Platform.

Seccomp security profiles list the system calls (syscalls) a process can make. Permissions are broader than SELinux, which restrict operations, such as write, system-wide.

Creating seccomp profiles

You can use the MachineConfig object to create profiles.

Seccomp can restrict system calls (syscalls) within a container, limiting the access of your application.

Prerequisites

  • You have cluster admin permissions.

  • You have created a custom security context constraints (SCC). For more information, see Additional resources.

Procedure

  • Create the MachineConfig object:

    1. apiVersion: machineconfiguration.openshift.io/v1
    2. kind: MachineConfig
    3. metadata:
    4. labels:
    5. machineconfiguration.openshift.io/role: worker
    6. name: custom-seccomp
    7. spec:
    8. config:
    9. ignition:
    10. version: 3.2.0
    11. storage:
    12. files:
    13. - contents:
    14. source: data:text/plain;charset=utf-8;base64,<hash>
    15. filesystem: root
    16. mode: 0644
    17. path: /var/lib/kubelet/seccomp/seccomp-nostat.json

Setting up the custom seccomp profile

Prerequisite

  • You have cluster administrator permissions.

  • You have created a custom security context constraints (SCC). For more information, see “Additional resources”.

  • You have created a custom seccomp profile.

Procedure

  1. Upload your custom seccomp profile to /var/lib/kubelet/seccomp/<custom-name>.json by using the Machine Config. See “Additional resources” for detailed steps.

  2. Update the custom SCC by providing reference to the created custom seccomp profile:

    1. seccompProfiles:
    2. - localhost/<custom-name>.json (1)
    1Provide the name of your custom seccomp profile.

Applying the custom seccomp profile to the workload

Prerequisite

  • The cluster administrator has set up the custom seccomp profile. For more details, see “Setting up the custom seccomp profile”.

Procedure

  • Apply the seccomp profile to the workload by setting the securityContext.seccompProfile.type field as following:

    Example

    1. spec:
    2. securityContext:
    3. seccompProfile:
    4. type: Localhost
    5. localhostProfile: <custom-name>.json (1)
    1Provide the name of your custom seccomp profile.

    Alternatively, you can use the pod annotations seccomp.security.alpha.kubernetes.io/pod: localhost/<custom-name>.json. However, this method is deprecated in OKD 4.

During deployment, the admission controller validates the following:

  • The annotations against the current SCCs allowed by the user role.

  • The SCC, which includes the seccomp profile, is allowed for the pod.

If the SCC is allowed for the pod, the kubelet runs the pod with the specified seccomp profile.

Ensure that the seccomp profile is deployed to all worker nodes.

The custom SCC must have the appropriate priority to be automatically assigned to the pod or meet other conditions required by the pod, such as allowing CAP_NET_ADMIN.

Additional resources