kuberneteskubectlazure-aksseccomp

Error: failed to create containerd container: cannot load seccomp profile, no such file or directory

Trying to set a custom seccomp profile when using kubectl apply and despite the file being there in the container, the pod will not start with the following error:

Error: failed to create containerd container: cannot load seccomp profile "/var/lib/kubelet/seccomp/custom_profile.json": open /var/lib/kubelet/seccomp/custom_profile.json: no such file or directory

K8 deployment YAML

...
containers:
  - name: container-name
    image: container-image:version
    securityContext:
      seccompProfile:
        type: Localhost
        localhostProfile: custom_profile.json
...

The file is copied when the container is created and going into the shell of the pod I can see that it does exist there (when not trying to load it and the pod starts)

Dockerfile

...
COPY custom_profile.json /var/lib/kubelet/seccomp/custom_profile.json
...

I have also tried changing the owner (chown) and running with root privileges but as long as the localhostProfile: custom_profile.json line is in the YAML then the same error appears again.

What am I missing that is preventing the file from being found? Something missing in the YAML, something missing in the container/dockerfile?

The following article is what got me this far but still not able to set the profile: https://docs.openshift.com/container-platform/4.8/security/seccomp-profiles.html

Solution

  • If type: Localhost seccomp profile is used, then the seccomp profiles must be present over the node on which the pod is getting scheduled. Also, the path is relative to the path /var/lib/kubelet/seccomp. Here /var/lib/kubelet/ is the default path for kubelet config.

    Here is the related snippet from official documentation:

    localhost/<path> - Specify a profile as a file on the node located at <seccomp_root>/, where <seccomp_root> is defined via the --seccomp-profile-root flag on the Kubelet. If the --seccomp-profile-root flag is not defined, the default path will be used, which is /seccomp where is specified by the --root-dir flag.

    Example-1: For the following to work , a custom_profile.json file must be present at /var/lib/kubelet/seccomp path on the node.

    securityContext:
  seccompProfile:
    type: Localhost
    localhostProfile: custom_profile.json

    Example-2: For the following to work , a custom_profile.json file must be present at /var/lib/kubelet/seccomp/profiles path on the node.

    securityContext:
  seccompProfile:
    type: Localhost
    localhostProfile: profiles/custom_profile.json

    Here is a minimal working example:

    seccomp profiles are copied on the worker node.

    ps@worker-node:~$ sudo ls -lrt /var/lib/kubelet/seccomp/profiles
[sudo] password for ps:
total 12
-rw-r--r-- 1 root root   39 Sep 10 13:54 audit.json
-rw-r--r-- 1 root root   41 Sep 10 13:54 violation.json
-rw-r--r-- 1 root root 1657 Sep 10 13:54 fine-grained.json
ps@worker-node:~$

    Create the pod with the following path, notice the path is relative to /var/lib/kubelet/seccomp.

    apiVersion: v1
kind: Pod
metadata:
  name: audit-pod
  labels:
    app: audit-pod
spec:
  securityContext:
    seccompProfile:
      type: Localhost
      localhostProfile: profiles/audit.json
  containers:
  - name: test-container
    image: nginx
    securityContext:
      allowPrivilegeEscalation: false