The document is a practical guide on Seccomp security profiles, focusing on their implementation in Kubernetes and Docker containers. It emphasizes the importance of using Seccomp filters to manage syscalls and enhance container security against various attacks, such as supply chain vulnerabilities and exploitable application bugs. The author also notes that Kubernetes disables default Seccomp profiles used in Docker due to the complexities introduced by multiple containers in a pod.

1. ©2020 VMware, Inc.
Seccomp Security
Profiles and You
A practical guide
Duffie Cooley
Staff Cloud Native Architect

2. ©2020 VMware, Inc. @mauilion 2
$ whoami
● Staff Cloud Native Architect at VMware
○
● Host of tgik.io thepodlets.io
● I have been helping folks with Kubernetes since 2016!
● Find me most anywhere as @mauilion

3. ©2020 VMware, Inc. @mauilion 3
What is a Container!

4. ©2020 VMware, Inc. @mauilion 4
How does all this work!
$ info capabilities

5. ©2020 VMware, Inc. @mauilion 5
How does all this work!
Capabilities Grant access to stuff.
seccomp filters or blocks that access in a
granular way.
seccomp should be used in an allow list and
deny list model!
Otherwise you will miss stuff!
There are 345 syscalls in x86_64 arch as of
kernel 5.8.0-rc3
ref: fedora.juszkiewicz.com.pl/syscalls.html

6. ©2020 VMware, Inc. @mauilion 6
amicontained
@mauilion

7. ©2020 VMware, Inc. @mauilion 7
What can a Docker Container do?

8. ©2020 VMware, Inc. @mauilion 8
What can a kubernetes pod do?

9. ©2020 VMware, Inc. @mauilion 9
Why are these different!
● Folks like @jessfraz and others did a bunch of research into a
“reasonable” default seccomp profile.
● You can see this work here:
docs.docker.com/engine/security/seccomp/
● Docker still uses this by default!
Kubernetes disables the “default”

10. ©2020 VMware, Inc. @mauilion 10
Why tho?
● Mostly cause of the implementation detail of multiple containers in a
pod
● Each pod is at least 2 containers an infra or “Pause” container and the
container(s) you define.
● The Pause container handles shared things like the network
namespace

11. ©2020 VMware, Inc. @mauilion 11
What do?
● You can set an annotation either at the pod or the container level!
POD
annotations:
seccomp.security.alpha.kubernetes.io/pod: “runtime/default”
Container
annotations:
container.security.alpha.kubernetes.io/<container-name>:
“runtime/default"

12. ©2020 VMware, Inc. @mauilion 12
Why do this stuff at all?
● There are a bunch of attacks against containers that are interesting.
○ Supply Chain attacks.
Where did this container image and it’s deps come from?
○ Exploitable application bugs
Can I get a shell? Did some kind soul leave bash behind?
○ Syscalls in the shared linux kernel
With that shell I got what else can I do?

13. ©2020 VMware, Inc. @mauilion 13
What syscalls are being used?

14. ©2020 VMware, Inc. @mauilion 14
But what about my container images?
Optimize Your Docker Containers. Smaller, Faster,
More Secure, Frictionless!

15. ©2020 VMware, Inc. @mauilion 15
Demo Time!
Docker image: inanimate/echo-server
Environment: kind.sigs.k8s.io
Kubernetes Version: v1.19
sigs.k8s.io/secomp-operator deployed.

16. ©2020 VMware, Inc. @mauilion 16
SHOUT OUTS!
● Come see @IanColdwater and I present at security day!
● Shout-out to:
○ The magnificent Mr. Daniel Mangum!
○ The amazing Paulo Gomez!
○ The incredible Sascha Grunert!
● References:
○ sigs.k8s.io/kind
○ sigs.k8s.io/seccomp-operator
○ docs.k8s.io/tutorials/clusters/seccomp/
○ itnext.io/seccomp-in-kubernetes-part-i-7-things-you-should-know-
before-you-even-start-97502ad6b6d6
○ itnext.io/seccomp-in-kubernetes-part-2-crafting-custom-seccomp-
profiles-for-your-applications-c28c658f676e

17. Confidential │ ©2019 VMware, Inc.
Thank You