Bir JSON dosyası hazırlanır. İskeleti şöyle
{"defaultAction": "","architectures": [],"syscalls": [{"names": [],"action": ""}]}
Açıklaması şöyle
In the syscalls section we will list the system calls under the "names"array that is allowed or blocked depending on what is being set as "action" .
In the architectures section we have to define what architectures we are targeting. This is very essential because the seccomp filter will operate at the kernel level. And also during the filtering, syscall IDs will be used and not the names we defined in syscalls.names section.
defaultAction defines what will happen if no matching system call is found inside the syscalls list.
1. Dosya Nereye Konulur
Açıklaması şöyle
In order to assign a seccomp profile to a pod we have to place the seccomp profile JSON file in the nodes directories so that kubelet can access that easily while scheduling the pod into the corresponding nodes.
As per the documentation version v1.25, the default root directory of the kubelet is : /var/lib/kubelet
2. Attach a seccompProfile into a pod
Açıklaması şöyle
To set the Seccomp profile to a pod/container, include the seccompProfile field in the securityContext section of the Pod or Container manifest.
There are various kinds of seccompProfile :
Localhost — a seccomp profile defined in a file on the node where the pod will be scheduled.RuntimeDefault — the container runtime default profile should be used.Unconfined — no profile should be applied. (default, if no profile is defined)
Örnek
Şöyle yaparız
apiVersion: v1
kind: Pod
metadata:
name: pod-1
labels:
app: pod-1
spec:
securityContext:
seccompProfile:
type: Localhost
localhostProfile: profiles/custom.json
containers:
- name: test-container
image: hashicorp/http-echo:0.2.3
args:
- "-text=just made some syscalls!"
securityContext:
allowPrivilegeEscalation: false Açıklaması şöyle
To ensure the container does not get more privileges than the pod, we must set container allowPrivilegeEscalation to false.
Dosyayı şöyle yerleştiririz
# create new directory under kubelet root directory $ mkdir -p /var/lib/kubelet/seccomp/profiles # move "custom.json" $ mv custom.json /var/lib/kubelet/seccomp/profiles/
3. Dosyanın İçi
defaultAction olarak
SCMP_ACT_ERRNO (syscalls listesinde yoksa whitelist)
SCMP_ACT_ALLOW (syscalls listesinde yoksa blacklist)
SCMP_ACT_LOG (sadece /var/log/syslog dosyasına logla, audit amaçlıdır)
verilebilir
Örnek - whitelist
Şöyle yaparız
{
"defaultAction": "SCMP_ACT_ERRNO",
"architectures": [
"SCMP_ARCH_X86_64",
"SCMP_ARCH_X86",
"SCMP_ARCH_X32"
],
"syscalls": [
{
"names": [
"pselect6",
"getsockname",
..
..
"execve",
"exit"
],
"action": "SCMP_ACT_ALLOW"
}
]
}Örnek - blacklist
Şöyle yaparız
{
"defaultAction": "SCMP_ACT_ALLOW",
"architectures": [
"SCMP_ARCH_X86_64",
"SCMP_ARCH_X86",
"SCMP_ARCH_X32"
],
"syscalls": [
{
"names": [
"pselect6",
"getsockname",
..
..
..
"execve",
"exit"
],
"action": "SCMP_ACT_ERRNO"
}
]
}
Hiç yorum yok:
Yorum Gönder