From 3581bb036daf627ae28c7d1e24aa60abb3c8a5c5 Mon Sep 17 00:00:00 2001 From: Marcelo Giles Date: Sat, 8 Jul 2023 13:15:29 -0700 Subject: [PATCH] Reword seccomp paragraph to remove alpha feature reference Fix capitalization --- .../concepts/security/security-checklist.md | 32 +++++++++---------- 1 file changed, 15 insertions(+), 17 deletions(-) diff --git a/content/en/docs/concepts/security/security-checklist.md b/content/en/docs/concepts/security/security-checklist.md index 99ad8b6180bad..ce96812567c82 100644 --- a/content/en/docs/concepts/security/security-checklist.md +++ b/content/en/docs/concepts/security/security-checklist.md @@ -97,6 +97,7 @@ For restricted LoadBalancer and ExternalIPs use, see [CVE-2020-8554: Man in the middle using LoadBalancer or ExternalIPs](https://github.com/kubernetes/kubernetes/issues/97076) and the [DenyServiceExternalIPs admission controller](/docs/reference/access-authn-authz/admission-controllers/#denyserviceexternalips) for further information. + ## Pod security - [ ] RBAC rights to `create`, `update`, `patch`, `delete` workloads is only granted if necessary. @@ -153,23 +154,20 @@ Memory limit superior to request can expose the whole node to OOM issues. ### Enabling Seccomp -Seccomp can improve the security of your workloads by reducing the Linux kernel -syscall attack surface available inside containers. The seccomp filter mode -leverages BPF to create an allow or deny list of specific syscalls, named -profiles. Those seccomp profiles can be enabled on individual workloads, -[a security tutorial is available](/docs/tutorials/security/seccomp/). In -addition, the [Kubernetes Security Profiles Operator](https://github.com/kubernetes-sigs/security-profiles-operator) -is a project to facilitate the management and use of seccomp in clusters. - -For historical context, please note that Docker has been using -[a default seccomp profile](https://docs.docker.com/engine/security/seccomp/) -to only allow a restricted set of syscalls since 2016 from -[Docker Engine 1.10](https://www.docker.com/blog/docker-engine-1-10-security/), -but Kubernetes is still not confining workloads by default. The default seccomp -profile can be found [in containerd](https://github.com/containerd/containerd/blob/main/contrib/seccomp/seccomp_default.go) -as well. Fortunately, [Seccomp Default](/blog/2021/08/25/seccomp-default/), a -new alpha feature to use a default seccomp profile for all workloads can now be -enabled and tested. +Seccomp stands for secure computing mode and has been a feature of the Linux kernel since version 2.6.12. +It can be used to sandbox the privileges of a process, restricting the calls it is able to make +from userspace into the kernel. Kubernetes lets you automatically apply seccomp profiles loaded onto +a node to your Pods and containers. + +Seccomp can improve the security of your workloads by reducing the Linux kernel syscall attack +surface available inside containers. The seccomp filter mode leverages BPF to create an allow or +deny list of specific syscalls, named profiles. + +Since Kubernetes 1.27, you can enable the use of `RuntimeDefault` as the default seccomp profile +for all workloads. A [security tutorial](/docs/tutorials/security/seccomp/) is available on this +topic. In addition, the +[Kubernetes Security Profiles Operator](https://github.com/kubernetes-sigs/security-profiles-operator) +is a project that facilitates the management and use of seccomp in clusters. {{< note >}} Seccomp is only available on Linux nodes.