Back to Security Rules

Rule Metadata

Last updated: 2024-01-15
🔴
Severity
CRITICAL
🛡️
Category
Workload & Runtime Security
Version
v1.0.0
Downloads
1.2K
Author: Spotter Security Team
Created: 2024-01-10
Compliance:
CIS NIST

Pod Without Seccomp Profile

All pods must set Seccomp profile to RuntimeDefault or Localhost.

YAML Configuration

rule.yaml YAML 
apiVersion: rules.spotter.dev/v1alpha1
kind: SpotterRule
metadata:
  name: spotter-workload-012
  labels:
    severity: "critical"
    category: "workload"
  annotations:
    rules.spotter.dev/title: "Pod Without Seccomp Profile"
    rules.spotter.dev/version: "1.0.0"
    rules.spotter.dev/cwe: "CWE-024"
    rules.spotter.dev/description: "All pods must set Seccomp profile to RuntimeDefault or Localhost."
spec:
  match:
    resources:
      kubernetes:
        apiGroups:
        - ''
        - apps
        versions:
        - v1
        kinds:
        - Pod
        - Deployment
        - StatefulSet
        namespaces:
          include:
          - '*'
          exclude:
          - kube-system
          - kube-public
        labels:
          exclude:
            rules.spotter.dev/ignore: ["true"]
  cel: |
    object.kind in ["Pod", "Deployment", "StatefulSet"] &&
    (
      (object.kind == "Pod" &&
        // Check if pod has no secure seccomp configuration
        !(
          (has(object.metadata.annotations) && 'seccomp.security.alpha.kubernetes.io/defaultProfileName' in object.metadata.annotations && object.metadata.annotations['seccomp.security.alpha.kubernetes.io/defaultProfileName'] == 'runtime/default') ||
          (has(object.spec.securityContext) && has(object.spec.securityContext.seccompProfile) && object.spec.securityContext.seccompProfile.type == "RuntimeDefault")
        ) &&
        // And containers don't all have secure seccomp profiles
        (!has(object.spec.containers) || !object.spec.containers.all(c,
          has(c.securityContext) && has(c.securityContext.seccompProfile) && c.securityContext.seccompProfile.type == "RuntimeDefault"
        ))
      ) ||
      (object.kind in ["Deployment", "StatefulSet"] && has(object.spec.template) &&
        // Check if template has no secure seccomp configuration
        !(
          (has(object.spec.template.metadata.annotations) && 'seccomp.security.alpha.kubernetes.io/defaultProfileName' in object.spec.template.metadata.annotations && object.spec.template.metadata.annotations['seccomp.security.alpha.kubernetes.io/defaultProfileName'] == 'runtime/default') ||
          (has(object.spec.template.spec.securityContext) && has(object.spec.template.spec.securityContext.seccompProfile) && object.spec.template.spec.securityContext.seccompProfile.type == "RuntimeDefault")
        ) &&
        // And containers don't all have secure seccomp profiles
        (!has(object.spec.template.spec.containers) || !object.spec.template.spec.containers.all(c,
          has(c.securityContext) && has(c.securityContext.seccompProfile) && c.securityContext.seccompProfile.type == "RuntimeDefault"
        ))
      )
    )
  remediation:
    manual: "Set seccompProfile: RuntimeDefault"
  references:
    - title: "Kubernetes Seccomp"
      url: "https://kubernetes.io/docs/tutorials/security/seccomp/"