post image January 6, 2022 | 2 min Read

SecComp in Docker and Kubernetes

**Determine blocked seccomp kernel modules''

 sudo docker run r.j3ss.co/amicontained amicontained
Unable to find image 'r.j3ss.co/amicontained:latest' locally
latest: Pulling from amicontained
df20fa9351a1: Already exists 
4bca37c4648a: Pull complete 
c09295bf22ac: Pull complete 
Digest: sha256:97c19e0861c6555aafb9d025901a731a2a1d12ab1defbbf153141dd82337ff73
Status: Downloaded newer image for r.j3ss.co/amicontained:latest
Container Runtime: not-found
Has Namespaces:
        pid: true
        user: false
AppArmor Profile: unconfined
Capabilities:
        BOUNDING -> chown dac_override fowner fsetid kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap
Seccomp: filtering
Blocked Syscalls (60):
        SYSLOG SETPGID SETSID USELIB USTAT SYSFS VHANGUP PIVOT_ROOT _SYSCTL ACCT SETTIMEOFDAY MOUNT UMOUNT2 SWAPON SWAPOFF REBOOT SETHOSTNAME SETDOMAINNAME IOPL IOPERM CREATE_MODULE INIT_MODULE DELETE_MODULE GET_KERNEL_SYMS QUERY_MODULE QUOTACTL NFSSERVCTL GETPMSG PUTPMSG AFS_SYSCALL TUXCALL SECURITY LOOKUP_DCOOKIE CLOCK_SETTIME VSERVER MBIND SET_MEMPOLICY GET_MEMPOLICY KEXEC_LOAD ADD_KEY REQUEST_KEY KEYCTL MIGRATE_PAGES UNSHARE MOVE_PAGES PERF_EVENT_OPEN FANOTIFY_INIT NAME_TO_HANDLE_AT OPEN_BY_HANDLE_AT SETNS PROCESS_VM_READV PROCESS_VM_WRITEV KCMP FINIT_MODULE KEXEC_FILE_LOAD BPF USERFAULTFD PKEY_MPROTECT PKEY_ALLOC PKEY_FREE
Looking for Docker.sock



docker run --security-opt seccomp=profile-docker-nginx.json --name nginx nginx


docker: Error response from daemon: Conflict. The container name "/nginx" is already in use by container "14d70f33e9c444098ad8ab8f75e0f6e3d0ffc46c84bdd7c2c013c04ca8c3ed89". You have to remove (or rename) that container to be able to reuse that name.
See 'docker run --help'.

**Create a pod with seccomp profile''

root@cks-master:~# cat secure.yaml 
apiVersion: v1
kind: Pod
metadata:
  annotations:
    container.apparmor.security.beta.kubernetes.io/secure: localhost/docker-nginx
  creationTimestamp: null
  labels:
    run: secure
  name: secure
spec:
  securityContext:
    seccompProfile:
      type: Localhost
      localhostProfile: profile-docker-nginx.json
  containers:
  - image: nginx
    name: secure
    resources: {}
  dnsPolicy: ClusterFirst
  restartPolicy: Always
status: {}

**Important seccomp profile file: /var/lib/kubelet/seccomp/profile-docker-nginx.json ''

root@cks-worker:~# cat /var/lib/kubelet/seccomp/profile-docker-nginx.json | head
{
  "defaultAction": "SCMP_ACT_ERRNO",
  "archMap": [
    {
      "architecture": "SCMP_ARCH_X86_64",
      "subArchitectures": [
        "SCMP_ARCH_X86",
        "SCMP_ARCH_X32"
      ]
    },
...
author image

Jan Toth

I have been in DevOps related jobs for past 6 years dealing mainly with Kubernetes in AWS and on-premise as well. I spent quite a lot …

comments powered by Disqus