This issue is meant to start a conversation around changing a default in Kubernetes. The NSA/CISA recently published a Kubernetes hardening guide. It covers a wide range of items, but one of the recurring themes is changing defaults to activate more secure settings in Kubernetes. As I read through these, I wondered why some of these settings were not already the default in Kubernetes. I’m sure there’s more to the story around these items than I know, but I thought it would be worthwhile to have a public discussion around each. I’ve set up a series of issues here. Linking between them for ease of reference:

• Not mounting service tokens within pods
• Close insecure port access to API server
• Encrypt secrets by default
• Disable anonymous requests by default
• Turn on logging by default
• Provide a default seccomp profile (this issue)

The Issue:

From the NSA/CISA Guide:

“One method for auditing container system calls in Kubernetes is to use the Secure Compute Mode (seccomp) tool. This tool is disabled by default but can be used to limit a container’s system call abilities, thereby lowering the kernel’s attack surface. Seccomp can also log what calls are being made by using an audit profile.” - 26

NSA/CISA Proposed Fix:

“A custom seccomp profile is used to define which system calls are allowed and default actions for calls not specified. To enable a custom seccomp profile within a Pod, Kubernetes admins can write their seccomp profile JSON file to the /var/lib/kubelet/seccomp/ directory and add a seccompProfile to the Pod’s securityContext . A custom seccompProfile should also include two fields: Type: Localhost and localhostProfile: myseccomppolicy.json. Logging all system calls can help administrators know what system calls are needed for standard operations allowing them to restrict the seccomp profile further without losing system functionality.” - 26

Question for Discussion:

Should Kubernetes provide a default seccomp profile? If so, what should this include? If not, is there a different method to limit system calls that could be included by default to improve Kubernetes security?