gbrayut · March 16, 2023 17:12
diff --git a/01-test-seccomp.yaml b/01-test-seccomp.yaml
 apiVersion: v1
 kind: Pod
 metadata:
  name: runtimedefault-pod
 spec:
  containers:
  - name: test-container
    image: r.j3ss.co/amicontained
    command: ["/usr/bin/amicontained"]
    securityContext:
      seccompProfile:
        type: RuntimeDefault
 ---
 apiVersion: v1
 kind: Pod
 metadata:
  name: not-runtimedefault-pod
 spec:
  containers:
  - name: test-container
    image: r.j3ss.co/amicontained
    command: ["/usr/bin/amicontained"]
diff --git a/02-test.sh b/02-test.sh
 # See https://cloud.google.com/kubernetes-engine/docs/concepts/seccomp-in-gke
 kubectl apply -f /tmp/test-seccomp.yaml 
 kubectl get po
 kubectl logs runtimedefault-pod > /tmp/runtimedefault-pod
 kubectl logs not-runtimedefault-pod > /tmp/not-runtimedefault-pod
 diffmerge /tmp/{not-,}runtimedefault-pod
diff --git a/03-not-runtimedefault-pod.log b/03-not-runtimedefault-pod.log
 Container Runtime: kube
 Has Namespaces:
 	pid: true
 	user: false
 AppArmor Profile: cri-containerd.apparmor.d (enforce)
 Capabilities:
 	BOUNDING -> chown dac_override fowner fsetid kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap
 Seccomp: disabled
 Blocked Syscalls (20):
 	SYSLOG SETPGID SETSID VHANGUP PIVOT_ROOT ACCT SETTIMEOFDAY SWAPON SWAPOFF REBOOT SETHOSTNAME SETDOMAINNAME INIT_MODULE DELETE_MODULE 
 	LOOKUP_DCOOKIE FANOTIFY_INIT OPEN_BY_HANDLE_AT FINIT_MODULE KEXEC_FILE_LOAD BPF
 Looking for Docker.sock
diff --git a/03-runtimedefault-pod.log b/03-runtimedefault-pod.log
 Container Runtime: kube
 Has Namespaces:
 	pid: true
 	user: false
 AppArmor Profile: cri-containerd.apparmor.d (enforce)
 Capabilities:
 	BOUNDING -> chown dac_override fowner fsetid kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap
 Seccomp: filtering
 Blocked Syscalls (60):
 	SYSLOG SETPGID SETSID USELIB USTAT SYSFS VHANGUP PIVOT_ROOT _SYSCTL ACCT SETTIMEOFDAY MOUNT UMOUNT2 SWAPON SWAPOFF REBOOT SETHOSTNAME 
 	SETDOMAINNAME IOPL IOPERM CREATE_MODULE INIT_MODULE DELETE_MODULE GET_KERNEL_SYMS QUERY_MODULE QUOTACTL NFSSERVCTL GETPMSG PUTPMSG 
 	AFS_SYSCALL TUXCALL SECURITY LOOKUP_DCOOKIE CLOCK_SETTIME VSERVER MBIND SET_MEMPOLICY GET_MEMPOLICY KEXEC_LOAD ADD_KEY REQUEST_KEY 
 	KEYCTL MIGRATE_PAGES UNSHARE MOVE_PAGES PERF_EVENT_OPEN FANOTIFY_INIT NAME_TO_HANDLE_AT OPEN_BY_HANDLE_AT SETNS PROCESS_VM_READV 
 	PROCESS_VM_WRITEV KCMP FINIT_MODULE KEXEC_FILE_LOAD BPF USERFAULTFD PKEY_MPROTECT PKEY_ALLOC PKEY_FREE
 Looking for Docker.sock
	apiVersion: v1
	kind: Pod
	metadata:
	name: runtimedefault-pod
	spec:
	containers:
	- name: test-container
	image: r.j3ss.co/amicontained
	command: ["/usr/bin/amicontained"]
	securityContext:
	seccompProfile:
	type: RuntimeDefault
	---
	apiVersion: v1
	kind: Pod
	metadata:
	name: not-runtimedefault-pod
	spec:
	containers:
	- name: test-container
	image: r.j3ss.co/amicontained
	command: ["/usr/bin/amicontained"]
	# See https://cloud.google.com/kubernetes-engine/docs/concepts/seccomp-in-gke
	kubectl apply -f /tmp/test-seccomp.yaml
	kubectl get po
	kubectl logs runtimedefault-pod > /tmp/runtimedefault-pod
	kubectl logs not-runtimedefault-pod > /tmp/not-runtimedefault-pod
	diffmerge /tmp/{not-,}runtimedefault-pod
	Container Runtime: kube
	Has Namespaces:
	pid: true
	user: false
	AppArmor Profile: cri-containerd.apparmor.d (enforce)
	Capabilities:
	BOUNDING -> chown dac_override fowner fsetid kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap
	Seccomp: disabled
	Blocked Syscalls (20):
	SYSLOG SETPGID SETSID VHANGUP PIVOT_ROOT ACCT SETTIMEOFDAY SWAPON SWAPOFF REBOOT SETHOSTNAME SETDOMAINNAME INIT_MODULE DELETE_MODULE
	LOOKUP_DCOOKIE FANOTIFY_INIT OPEN_BY_HANDLE_AT FINIT_MODULE KEXEC_FILE_LOAD BPF
	Looking for Docker.sock