The seccomp gadget traces system calls for each container in order to generate seccomp policies.
The seccomp policies can be generated in two ways:
- on demand with the gadget.kinvolk.io/operation=generate annotation. In this case, the Trace.Spec.Filter should specify the namespace and pod name to the exclusion of other fields because there can be only one SeccompProfile written in the Trace.Status.Output or in the SeccompProfile resource named by Trace.Spec.Output. The on-demand generation supports the outputMode Status and ExternalResource.
- automatically when containers matching the Trace.Spec.Filter terminate. In this case, all filters are supported. The at-termination generation supports the outputMode ExternalResource and Stream.
The seccomp policies can be written in the Status field of the Trace custom resource, or in SeccompProfiles custom resources managed by the Kubernetes Security Profiles Operator .
SeccompProfiles will have the following annotations:
- seccomp.gadget.kinvolk.io/trace: the namespaced name of the Trace custom resource that generated this SeccompProfile
- seccomp.gadget.kinvolk.io/node: the node where this SeccompProfile was generated
- seccomp.gadget.kinvolk.io/pod: the pod namespaced name of the pod that was traced
- seccomp.gadget.kinvolk.io/container: the container name in the pod that was traced
- seccomp.gadget.kinvolk.io/ownerReference-ApiVersion: the ownerReference's ApiVersion of the pod that was traced
- seccomp.gadget.kinvolk.io/ownerReference-Kind: the ownerReference's Kind of the pod that was traced
- seccomp.gadget.kinvolk.io/ownerReference-Name: the ownerReference's Name of the pod that was traced
- seccomp.gadget.kinvolk.io/ownerReference-UID: the ownerReference's UID of the pod that was traced
SeccompProfiles will have the same labels as the Trace custom resource that generated them. They don't have meaning for the seccomp gadget. They are merely copied for convenience.
apiVersion: gadget.kinvolk.io/v1alpha1 kind: Trace metadata: name: seccomp namespace: gadget labels: team: devops spec: node: minikube gadget: seccomp # # Example of filter for manual generation with the # # gadget.kinvolk.io/operation=generate annotation. This needs a namespace and # # podname at the exclusion of other fields. # filter: # namespace: default # podname: mypod # Another example of filter for automatic generation when containers # terminate. All fields are supported. filter: namespace: default runMode: Manual outputMode: ExternalResource output: gadget/myseccomp
Start recording syscalls
$ kubectl annotate -n gadget trace/seccomp \ gadget.kinvolk.io/operation=start
Generate a seccomp profile for the pod specified in Trace.Spec.Filter. The namespace and pod name should be specified at the exclusion of other fields.
$ kubectl annotate -n gadget trace/seccomp \ gadget.kinvolk.io/operation=generate
Stop recording syscalls
$ kubectl annotate -n gadget trace/seccomp \ gadget.kinvolk.io/operation=stop