-
Notifications
You must be signed in to change notification settings - Fork 38.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TOB-K8S-002: Seccomp is disabled by default #81115
Comments
/sig auth |
Previous discussion: #39845 I would love to see this happen, but previous efforts to make this change have resulted in requests to:
(1) is likely to happen in k8s 1.17. (2) Is a good follow up to that. (3) would be very useful, but also seems like the hardest change to make, and no one seems interested in investing significantly into seccomp right now. |
@tallclair I would be keen to help us achieve that. Is there any of those 3 points that help is wanted? |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
/remove-lifecycle stale |
/lifecycle frozen |
Linked two PRs that enable seccomp by default for pod sandbox. |
how to completely disable seccomp? Asking for profiling scenarios with |
@michelgokan for a given pod / container? Or globally for the cluster? Or disabling for the kernel? |
As a simple workaround, I used following dummy seccomp configuration to enable all syscalls:
|
Fantastic! Yes I believe that does resolve this. |
This issue was reported in the Kubernetes Security Audit Report
Description
Seccomp is disabled by default for containers configured by kubelet since 1.10.0. This allows configured containers to interact directly with the host kernel. Depending on container privileges, this could lead to extended access to the host beyond limited kernel access.
While there is a Pod security annotation to specify a particular seccomp profile, this does not apply a constrained profile by default. According to issue #20870 this is to avoid breaking backwards compatibility with previous Kubernetes versions, with the downside of exposing the underlying host.
Exploit Scenario
Alice schedules a Pod containing her web application to her Kubernetes cluster. Eve identifies a vulnerability in Alice’s web application and gains remote code execution within the container running Alice’s application. Unbeknownst to Alice, Eve is able to use a kernel exploit due to an unconfined seccomp profile of the container.
Recommendation
Short term, the default profile should be that of the underlying container runtime installation. While a constrained seccomp profile could break backwards compatibility, critical safety features should be opt-out, not opt-in.
Long term, migrate towards using a default profile. Perform validation across nodes to ensure consistent profile usage in a default state.
Anything else we need to know?:
See #81146 for current status of all issues created from these findings.
The vendor gave this issue an ID of TOB-K8S-002 and it was finding 7 of the report.
The vendor considers this issue Medium Severity.
To view the original finding, begin on page 32 of the Kubernetes Security Review Report
Environment:
The text was updated successfully, but these errors were encountered: