I’m just curious, when developing an application on a local machine using Docker,
How can I ensure the Docker seccomp runtime profile matches what I have defined in the Kubernetes cluster?
apiVersion: apps/v1
kind: Deployment
spec:
template:
spec:
containers:
- name: app
securityContext:
seccompProfile:
type: RuntimeDefault
If there is a suggested Docker command to run with the seccompProfile definition, it would be appreciated.
Replicating the kubernetes runtime default seccomp profile into a local docker machine is not as straightforward. Because the RuntimeDefault profile in kubernetes is dynamic and can vary depending on the specific kernel version and container runtime used in your cluster. Docker on your local machine might have different kernel and runtime leading to potential inconsistencies.
However, docker’s seccomp profiles via --security-opt seccomp flag are less featured compared to that of Kubernetes. Some system calls allowed in the Kubernetes Runtime Default profile might not be available in docker implementation.
“Docker” itself has some built-in seccomp profiles such as scmp : unconfined, which you can use as a basis for creating your development environment.
You may also choose to build a custom JSON file which will define what syscalls should be allowed by your application.Scomp-security-analyzer or ccchecker tools may be useful in analyzing an application to generate a security profile based on the system calls it makes.
Docker command using a custom seccomp profile:
docker run --rm \
-it \
--security-opt seccomp=/path/to/seccomp/profile.json \
hello-world
If replicating the exact Kubernetes Runtime Default profile is crucial, you might consider setting up a lightweight kubernetes cluster locally using tools like Minikube or Kind. This would allow you to leverage the RuntimeDefault profile within your local development environment.
Refer to this Medium Blog by Lachlan Evenson for more information