What does default Seccomp, AppArmor, and SELinux in Kubernetes Security truly mean? Who and where provides the default profile? Does default mean it applies to containers, pods, or the Kubernetes administrator cluster itself?
I've seen numerous times that the default Seccomp, SELinux, and AppArmor profiles be enforced on Kubernetes clusters through policies. From what I've learned, these profiles (and associated policy) should be tailored to each unique container through profiling.
In the latest Pod Security Standards which replaced PSP, AppArmor could set to runtime/default
while Seccomp could be set to RuntimeDefault
, but SELinux does not appear to have any default values. What happens if someone does not specify a tailored profile for a container and the default profile was applied out of the box by Kubernetes? Wouldn't there be a possible conflict for syscalls or application permissions in the future during Runtime?
Lastly, based on your experience, what's the adoption of these tailored policies in real life? Aren't they too specific and secure to be scalable with the sheer number of containers? I assume Agile practitioners would dislike them as profiling can't be fully automated.