KubeArmor Seccomp Support
KubeArmorPolicy for seccomp
apiVersion: security.kubearmor.com/v1
kind: KubeArmorSeccompPolicy
metadata:
name: ksp-wordpress-block-process
namespace: wordpress-mysql
spec:
severity: 3
selector:
matchLabels:
app: wordpress
seccomp:
arch: x86_64, x86, x32 #OPTIONAL
syscalls: accept4, epoll_wait, pselect6, futex, madvise
action: AllowFollowing is the mapped seccomp profile:
{
"defaultAction":"SCMP_ACT_ERRNO",
"architectures":[
"SCMP_ARCH_X86_64",
"SCMP_ARCH_X86",
"SCMP_ARCH_X32"
],
"syscalls":[
{
"names":[
"accept4",
"epoll_wait",
"pselect6",
"futex",
"madvise"
],
"action":"SCMP_ACT_ALLOW"
}
]
}K8s, Docker or any other container runtime allows the user to set just a single seccomp policy per pod. The seccomp policy has to be annotated as part of the container label and the pod needs to be restarted for any change in the policy. This is the primary reason for having a separate kscmp kind and not just reusing the existing ksp with seccomp rules.
There could be at most one seccomp policy per container. Thus when there are multiple seccomp policies pushed for the same pod then the seccomp rules have to be intersected. General rule of thumb would be that a syscall deny would always take precedence in case there are multiple seccomp rules for the same syscall.
Consider an example:
- Policy 1: kscmp1 - allow{s1, s2}, deny{s3}
- Policy 2: kscmp2 - allow{s1, s3}, deny{s2}
Here s1, s2, s3 are 3 different syscalls and kscmp1/2 are two
KubeArmorSeccompPolicy.
Final Seccomp Profile after merging the kscmp policies will be: allow {s1}, deny {s2, s3}
