Enforce cluster-wide a security baseline for seccomp profile installation #897
Labels
kind/feature
Categorizes issue or PR as related to a new feature.
Comments
ccojocar
added
the
kind/feature
|
In this thread is a design discussion: https://kubernetes.slack.com/archives/C013FQNB0A2/p1650358471997719 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What would you like to be added:
In a cluster where different tenants can install seccomp profiles in different namespaces, it is paramount to enforce cluster-wide
a security baseline for seccomp profile installation. This will prevent that the tenants will introduce system calls which are not allowed by the cluster operators in order to avoid container escapes and such.
It should be possible to install only a subset of the baseline. For example, a seccomp profile should only be successfully installed when it contains a subset of the system calls available in the baseline profile (aka cluster default seccomp profile).
Why is this needed:
This will allow a cluster administrator to enforce which system calls are allowed to be enabled in the cluster via the operator. This will prevent from introducing dangerous system calls which might lead to container escapes.
We want to prevent that someone extends the seccomp profile installed in a namespace beyond the cluster default profile(https://kubernetes.io/blog/2021/08/25/seccomp-default/#seccompdefault-to-the-rescue).
User story covered
The text was updated successfully, but these errors were encountered: