Skip to main content
Version: latest

Gadget seccomp

The seccomp gadget traces system calls for each container in order to generate seccomp policies.

The seccomp policies can be generated in two ways:

  1. on demand with the gadget.kinvolk.io/operation=generate annotation. In this case, the Trace.Spec.Filter should specify the namespace and pod name to the exclusion of other fields because there can be only one SeccompProfile written in the Trace.Status.Output or in the SeccompProfile resource named by Trace.Spec.Output. The on-demand generation supports the outputMode Status and ExternalResource.
  2. automatically when containers matching the Trace.Spec.Filter terminate. In this case, all filters are supported. The at-termination generation supports the outputMode ExternalResource and Stream.

The seccomp policies can be written in the Status field of the Trace custom resource, or in SeccompProfiles custom resources managed by the Kubernetes Security Profiles Operator.

SeccompProfiles will have the following annotations:

  • seccomp.gadget.kinvolk.io/trace: the namespaced name of the Trace custom resource that generated this SeccompProfile
  • seccomp.gadget.kinvolk.io/node: the node where this SeccompProfile was generated
  • seccomp.gadget.kinvolk.io/pod: the pod namespaced name of the pod that was traced
  • seccomp.gadget.kinvolk.io/container: the container name in the pod that was traced
  • seccomp.gadget.kinvolk.io/ownerReference-APIVersion: the ownerReference's APIVersion of the pod that was traced
  • seccomp.gadget.kinvolk.io/ownerReference-Kind: the ownerReference's Kind of the pod that was traced
  • seccomp.gadget.kinvolk.io/ownerReference-Name: the ownerReference's Name of the pod that was traced
  • seccomp.gadget.kinvolk.io/ownerReference-UID: the ownerReference's UID of the pod that was traced

SeccompProfiles will have the same labels as the Trace custom resource that generated them. They don't have meaning for the seccomp gadget. They are merely copied for convenience.

Example CR

apiVersion: gadget.kinvolk.io/v1alpha1
kind: Trace
metadata:
  name: seccomp
  namespace: gadget
  labels:
    team: devops
spec:
  node: minikube
  gadget: seccomp

  # # Example of filter for manual generation with the
  # # gadget.kinvolk.io/operation=generate annotation. This needs a namespace and
  # # podname at the exclusion of other fields.
  # filter:
  #   namespace: default
  #   podname: mypod

  # Another example of filter for automatic generation when containers
  # terminate. All fields are supported.
  filter:
    namespace: default

  runMode: Manual
  outputMode: ExternalResource
  output: gadget/myseccomp

Operations

start

Start recording syscalls

$ kubectl annotate -n gadget trace/seccomp \
    gadget.kinvolk.io/operation=start

generate

Generate a seccomp profile for the pod specified in Trace.Spec.Filter. The namespace and pod name should be specified at the exclusion of other fields.

$ kubectl annotate -n gadget trace/seccomp \
    gadget.kinvolk.io/operation=generate

stop

Stop recording syscalls

$ kubectl annotate -n gadget trace/seccomp \
    gadget.kinvolk.io/operation=stop

Output Modes

  • ExternalResource
  • Status
  • Stream