All syscalls
Learn about Linux syscalls and seccomp profiles for Kubernetes, including how to look up syscall numbers and create audit and violation profiles.
All syscalls
Learn about syscalls and seccomp
Understanding Linux syscalls is essential for configuring seccomp profiles in Kubernetes. The commands below show how to look up specific syscall numbers and set up seccomp profiles in the default kubelet directory for use with pods.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
# Each and every syscall explained
grep -w 35 /usr/include/asm/unistd_64.h
#define __NR_nanosleep 35
# Create seccomp profiles in a "default" location
sudo mkdir -p /var/lib/kubelet/seccomp/profiles
sudo touch /var/lib/kubelet/seccomp/profiles/audit.json
sudo touch /var/lib/kubelet/seccomp/profiles/violation.json
# Allow logging
sudo cat /var/lib/kubelet/seccomp/profiles/audit.json
{
"defaultAction": "SCMP_ACT_LOG"
}
# Disable use of any syscall by default
sudo cat /var/lib/kubelet/seccomp/profiles/violation.json
{
"defaultAction": "SCMP_ACT_ERRNO"
}
This post is licensed under CC BY 4.0 by the author.