Skip to content

M6: Seccomp profile auto-generation from observed behavior #54

Open
Open
M6: Seccomp profile auto-generation from observed behavior#54
Labels
infrastructureCluster and infra setupmodule-6Runtime eBPF and kernel enforcement
@CodeBuildder

Description

@CodeBuildder
CodeBuildder
opened on Apr 17, 2026

Goal

Observe pod syscall usage for 24h, generate a minimal seccomp profile, apply it, block everything else.

Tasks

  • Deploy seccomp-operator or use Tetragon to record syscalls per pod
  • Build profile generator: aggregate syscalls over 24h window per pod/container
  • Generate seccomp JSON profiles
  • Apply profiles via pod annotations
  • Build Argus endpoint: GET /seccomp/profiles, POST /seccomp/apply/:pod

Acceptance criteria

  • Profile generated for payment-service in staging
  • Profile blocks unexpected syscalls
  • Argus UI shows profile coverage per pod

Metadata

Metadata

Assignees

No one assigned

    Labels

    infrastructureCluster and infra setupmodule-6Runtime eBPF and kernel enforcement

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions