The seccomp gadget traces system calls for each container in order to generate seccomp policies.
The seccomp policies can be generated in two ways:
- on demand with the gadget.kinvolk.io/operation=generate annotation. In this case, the Trace.Spec.Filter should specify the namespace and pod name to the exclusion of other fields because there can be only one SeccompProfile written in the Trace.Status.Output or in the SeccompProfile resource named by Trace.Spec.Output. The on-demand generation supports the outputMode Status and ExternalResource.
- automatically when containers matching the Trace.Spec.Filter terminate. In this case, all filters are supported. The at-termination generation supports the outputMode ExternalResource and Stream.
The seccomp policies can be written in the Status field of the Trace custom resource, or in SeccompProfiles custom resources managed by the Kubernetes Security Profiles Operator .
SeccompProfiles will have the following annotations:
- seccomp.gadget.kinvolk.io/trace: the namespaced name of the Trace custom resource that generated this SeccompProfile
- seccomp.gadget.kinvolk.io/node: the node where this SeccompProfile was generated
- seccomp.gadget.kinvolk.io/pod: the pod namespaced name of the pod that was traced
- seccomp.gadget.kinvolk.io/container: the container name in the pod that was traced
- seccomp.gadget.kinvolk.io/container-id: the container ID in the pod that was traced. Typically, 64 hexadecimal characters.
- seccomp.gadget.kinvolk.io/pid: the process ID of the container in the pod that was traced.
SeccompProfiles will have the same labels as the Trace custom resource that generated them. They don't have meaning for the seccomp gadget. They are merely copied for convenience.
apiVersion: gadget.kinvolk.io/v1alpha1 kind: Trace metadata: name: seccomp namespace: gadget spec: node: minikube gadget: seccomp # # Example of filter for manual generation with the # # gadget.kinvolk.io/operation=generate annotation. This needs a namespace and # # podname at the exclusion of other fields. # filter: # namespace: default # podname: mypod # Another example of filter for automatic generation when containers # terminate. All fields are supported. filter: namespace: default runMode: Manual outputMode: ExternalResource output: gadget/myseccomp
Start recording syscalls
$ kubectl annotate -n gadget trace/seccomp \ gadget.kinvolk.io/operation=start
Generate a seccomp profile for the pod specified in Trace.Spec.Filter. The namespace and pod name should be specified at the exclusion of other fields.
$ kubectl annotate -n gadget trace/seccomp \ gadget.kinvolk.io/operation=generate
Stop recording syscalls
$ kubectl annotate -n gadget trace/seccomp \ gadget.kinvolk.io/operation=stop