0

What does default Seccomp, AppArmor, and SELinux in Kubernetes Security truly mean? Who and where provides the default profile? Does default mean it applies to containers, pods, or the Kubernetes administrator cluster itself?

I've seen numerous times that the default Seccomp, SELinux, and AppArmor profiles be enforced on Kubernetes clusters through policies. From what I've learned, these profiles (and associated policy) should be tailored to each unique container through profiling.

In the latest Pod Security Standards which replaced PSP, AppArmor could set to runtime/default while Seccomp could be set to RuntimeDefault, but SELinux does not appear to have any default values. What happens if someone does not specify a tailored profile for a container and the default profile was applied out of the box by Kubernetes? Wouldn't there be a possible conflict for syscalls or application permissions in the future during Runtime?

Lastly, based on your experience, what's the adoption of these tailored policies in real life? Aren't they too specific and secure to be scalable with the sheer number of containers? I assume Agile practitioners would dislike them as profiling can't be fully automated.

transcend3nt
  • 39
  • 4

1 Answers1

1

There's a couple of things to note about the default policies for SELinux, Apparmor and seccomp under Kubernetes.

First up the question about runtime/default this essentially means that Kubernetes will defer the question of the policy to be the default one provided by the container runtime in use. This could be Docker, Containerd, CRI-O or another. In general the policies used by Docker and Containerd are the same and I'd expect CRI-Os to be similar.

As to what happens if you don't apply a specific policy, Apparmor will apply by default, seccomp will not be applied by default, which means that the container has less protection that it would if run directly under Docker, for example.

Take-up on custom policies is (IME) quite limited due to the complication of configuring the policies and rolling them out in a cluster. The second part of that problem is getting work in the Kubernetes project however, as both Apparmor and seccomp have features coming that will allow for default policies to be easily applied in clusters.

Rory McCune
  • 60,923
  • 14
  • 136
  • 217
  • Thank you for clarifying my question. Can I please ask a few follow-up questions? 1. In your experience, how does the default out-of-the-box AppArmor and Seccomp profiles fare with the containers you need to deploy? Has it broken the application running in production? https://docs.docker.com/engine/security/apparmor/ https://docs.docker.com/engine/security/seccomp/ 2. How about the default SELinux policy? If I interpret correctly, does it enforce the host's SELinux policy host on the container? How is it really used in real life? This seems highly customized as well. – transcend3nt Aug 24 '22 at 10:17
  • I've not seen enough use of the SELinux policies to be able to comment, but in my experience of using docker for a number of years the default Apparmor and seccomp profiles have not caused me any issues. – Rory McCune Aug 25 '22 at 07:46