Finds containers running without Seccomp.
kubeaudit seccomp [flags]
See Global Flags
$ kubeaudit seccomp -f "auditors/seccomp/fixtures/seccomp-annotation-missing.yml"
---------------- Results for ---------------
apiVersion: v1
kind: Pod
metadata:
name: pod
namespace: seccomp-annotation-missing
--------------------------------------------
-- [error] SeccompAnnotationMissing
Message: Seccomp annotation is missing. The annotation seccomp.security.alpha.kubernetes.io/pod: runtime/default should be added.
Metadata:
MissingAnnotation: seccomp.security.alpha.kubernetes.io/pod
Seccomp (Secure computing mode) is a Linux kernel feature.
Seccomp is enabled by adding a pod-level annotation. The annotation can be either a pod annotation, which enables seccomp for all containers within that pod, or a container annotation, which enables seccomp only for that container.
The pod annotation has the following format:
seccomp.security.alpha.kubernetes.io/pod: [seccomp profile]
The container annotation has the following format:
container.seccomp.security.alpha.kubernetes.io/[container name]: [seccomp profile]
Ideally the pod annotation should be used.
The value of the annotation (the seccomp profile) can be set to either the default profile (runtime/default) or a custom profile (localhost/[profile name]).
Example of a resource which passes the seccomp audit:
apiVersion: apps/v1
kind: Deployment
spec:
template:
metadata:
annotations:
seccomp.security.alpha.kubernetes.io/pod: runtime/default
spec:
containers:
- name: myContainerTo learn more about Seccomp, see https://en.wikipedia.org/wiki/Seccomp
To learn more about Seccomp in Kubernetes, see https://gardener.cloud/050-tutorials/content/howto/secure-seccomp/
Overrides are not currently supported for seccomp.