Using a custom seccomp profile is one of the most recommended ways to increase the security of our Kubernetes workload. However, to be able to do that, we need to know all the system calls that our application uses during its whole life cycle, which is not a simple task. By default, Kubernetes asks the container runtime to create a container using the `Unconfined` seccomp profile, meaning that seccomp is disabled. Such default behavior ensures that our application will run without problems, but it leaves the containers exposed to remote code execution vulnerabilities. During this talk, I will show how to use Inspektor Gadget, an eBPF-powered open-source project from the Kinvolk team at Microsoft, to identify all the system calls used by an application and how to generate a custom seccomp profile that ensures it will continue working as intended and with the exact system calls it requires.


Comments are closed.