This document describes how to configure Kubernetes Seccomp (Secure Computing Mode) profiles for Apigee hybrid pods to enhance security by restricting the system calls (syscalls) that containers are allowed to make.
About Seccomp profiles in Kubernetes
Seccomp is a Linux kernel security feature that limits the system calls a process can make. When used with Kubernetes, you can apply Seccomp profiles to a pod's securityContext to restrict the syscalls available to its containers. This helps reduce the attack surface of the container and mitigates the risk of container breakouts or privilege escalation by enforcing the principle of least privilege.
For more information on Seccomp in Kubernetes, see Secure Computing (Seccomp) in the Kubernetes documentation.
In hybrid, Seccomp profiles are not enabled by default. You can choose to apply a Seccomp profile to hybrid components by adding the seccompProfile object to your overrides.yaml file.
Configuring Seccomp profiles
You can apply Seccomp profiles globally, per environment, or per component in your overrides.yaml file by adding the securityContext.seccompProfile configuration block. hybrid supports the following Seccomp profile types:
RuntimeDefault: The default profile specified by the container runtime. This is the recommended option, as it provides a reasonable level of security while maintaining compatibility for most workloads.Unconfined: Applies no Seccomp restrictions to the pod. This is the least secure option and should be used with caution.
Configuration precedence
You can set the seccompProfile at the following levels in overrides.yaml. Component-level settings take precedence over environment-level settings, and environment-level settings take precedence over global settings:
- Component level: Applies to a specific component (for example,
runtimeorcassandra). - Environment level: Applies to all components within a specific environment defined in the
envs[]array, unless overridden at the component level. - Global level: Applies to all components in the cluster, unless overridden at the environment or component level.
Examples
Global configuration
To apply the RuntimeDefault Seccomp profile to all components that do not have an environment- or component-level override, add the following to the top level of your overrides.yaml:
securityContext: seccompProfile: type: RuntimeDefault
Environment configuration
To apply the RuntimeDefault Seccomp profile to all components in a specific environment, add the configuration under the envs[] element:
envs: - name: "my-environment" securityContext: seccompProfile: type: RuntimeDefault ...
Component configuration
To apply the RuntimeDefault Seccomp profile to a specific component (for example, the runtime component), add the configuration under that component:
runtime: securityContext: seccompProfile: type: RuntimeDefault ...