Gadget seccomp

    The seccomp gadget traces system calls for each container in order to generate seccomp policies on-demand.

    Example CR

    apiVersion: gadget.kinvolk.io/v1alpha1
    kind: Trace
    metadata:
      name: seccomp
      namespace: gadget
    spec:
      node: minikube
      gadget: seccomp
      filter:
        namespace: kube-system
        podname: etcd-minikube
      runMode: Manual
      outputMode: ExternalResource
      output: gadget/myseccomp
    

    Operations

    start

    Start recording syscalls

    $ kubectl annotate -n gadget trace/seccomp \
        gadget.kinvolk.io/operation=start
    

    generate

    Generate a seccomp profile

    $ kubectl annotate -n gadget trace/seccomp \
        gadget.kinvolk.io/operation=generate
    

    stop

    Stop recording syscalls

    $ kubectl annotate -n gadget trace/seccomp \
        gadget.kinvolk.io/operation=stop
    

    Output Modes

    • ExternalResource
    • Status