[hi] add example pod ecurity/seccomp

jayeshmahajan · jayeshmahajan · commit 8a82d09a954c · 2025-05-11T18:19:09.000-04:00
diff --git a/content/hi/examples/pods/security/seccomp/alpha/audit-pod.yaml b/content/hi/examples/pods/security/seccomp/alpha/audit-pod.yaml
@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: audit-pod
+  labels:
+    app: audit-pod
+  annotations:
+    seccomp.security.alpha.kubernetes.io/pod: localhost/profiles/audit.json
+spec:
+  containers:
+  - name: test-container
+    image: hashicorp/http-echo:0.2.3
+    args:
+    - "-text=just made some syscalls!"
+    securityContext:
+      allowPrivilegeEscalation: false
diff --git a/content/hi/examples/pods/security/seccomp/alpha/default-pod.yaml b/content/hi/examples/pods/security/seccomp/alpha/default-pod.yaml
@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: default-pod
+  labels:
+    app: default-pod
+  annotations:
+    seccomp.security.alpha.kubernetes.io/pod: runtime/default
+spec:
+  containers:
+  - name: test-container
+    image: hashicorp/http-echo:0.2.3
+    args:
+    - "-text=just made some syscalls!"
+    securityContext:
+      allowPrivilegeEscalation: false
diff --git a/content/hi/examples/pods/security/seccomp/alpha/fine-pod.yaml b/content/hi/examples/pods/security/seccomp/alpha/fine-pod.yaml
@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: fine-pod
+  labels:
+    app: fine-pod
+  annotations:
+    seccomp.security.alpha.kubernetes.io/pod: localhost/profiles/fine-grained.json
+spec:
+  containers:
+  - name: test-container
+    image: hashicorp/http-echo:0.2.3
+    args:
+    - "-text=just made some syscalls!"
+    securityContext:
+      allowPrivilegeEscalation: false
diff --git a/content/hi/examples/pods/security/seccomp/alpha/violation-pod.yaml b/content/hi/examples/pods/security/seccomp/alpha/violation-pod.yaml
@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: violation-pod
+  labels:
+    app: violation-pod
+  annotations:
+    seccomp.security.alpha.kubernetes.io/pod: localhost/profiles/violation.json
+spec:
+  containers:
+  - name: test-container
+    image: hashicorp/http-echo:0.2.3
+    args:
+    - "-text=just made some syscalls!"
+    securityContext:
+      allowPrivilegeEscalation: false
diff --git a/content/hi/examples/pods/security/seccomp/fields.yaml b/content/hi/examples/pods/security/seccomp/fields.yaml
@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod
+spec:
+  securityContext:
+    seccompProfile:
+      type: Unconfined
+  ephemeralContainers:
+  - name: ephemeral-container
+    image: debian
+    securityContext:
+      seccompProfile:
+        type: RuntimeDefault
+  initContainers:
+  - name: init-container
+    image: debian
+    securityContext:
+      seccompProfile:
+        type: RuntimeDefault
+  containers:
+  - name: container
+    image: docker.io/library/debian:stable
+    securityContext:
+      seccompProfile:
+        type: Localhost
+        localhostProfile: my-profile.json
diff --git a/content/hi/examples/pods/security/seccomp/ga/audit-pod.yaml b/content/hi/examples/pods/security/seccomp/ga/audit-pod.yaml
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: audit-pod
+  labels:
+    app: audit-pod
+spec:
+  securityContext:
+    seccompProfile:
+      type: Localhost
+      localhostProfile: profiles/audit.json
+  containers:
+  - name: test-container
+    image: hashicorp/http-echo:1.0
+    args:
+    - "-text=just made some syscalls!"
+    securityContext:
+      allowPrivilegeEscalation: false
diff --git a/content/hi/examples/pods/security/seccomp/ga/default-pod.yaml b/content/hi/examples/pods/security/seccomp/ga/default-pod.yaml
@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: default-pod
+  labels:
+    app: default-pod
+spec:
+  securityContext:
+    seccompProfile:
+      type: RuntimeDefault
+  containers:
+  - name: test-container
+    image: hashicorp/http-echo:1.0
+    args:
+    - "-text=just made some more syscalls!"
+    securityContext:
+      allowPrivilegeEscalation: false
diff --git a/content/hi/examples/pods/security/seccomp/ga/fine-pod.yaml b/content/hi/examples/pods/security/seccomp/ga/fine-pod.yaml
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: fine-pod
+  labels:
+    app: fine-pod
+spec:
+  securityContext:
+    seccompProfile:
+      type: Localhost
+      localhostProfile: profiles/fine-grained.json
+  containers:
+  - name: test-container
+    image: hashicorp/http-echo:1.0
+    args:
+    - "-text=just made some syscalls!"
+    securityContext:
+      allowPrivilegeEscalation: false
diff --git a/content/hi/examples/pods/security/seccomp/ga/violation-pod.yaml b/content/hi/examples/pods/security/seccomp/ga/violation-pod.yaml
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: violation-pod
+  labels:
+    app: violation-pod
+spec:
+  securityContext:
+    seccompProfile:
+      type: Localhost
+      localhostProfile: profiles/violation.json
+  containers:
+  - name: test-container
+    image: hashicorp/http-echo:1.0
+    args:
+    - "-text=just made some syscalls!"
+    securityContext:
+      allowPrivilegeEscalation: false
diff --git a/content/hi/examples/pods/security/seccomp/kind.yaml b/content/hi/examples/pods/security/seccomp/kind.yaml
@@ -0,0 +1,7 @@
+apiVersion: kind.x-k8s.io/v1alpha4
+kind: Cluster
+nodes:
+- role: control-plane
+  extraMounts:
+  - hostPath: "./profiles"
+    containerPath: "/var/lib/kubelet/seccomp/profiles"
diff --git a/content/hi/examples/pods/security/seccomp/profiles/audit.json b/content/hi/examples/pods/security/seccomp/profiles/audit.json
@@ -0,0 +1,3 @@
+{
+    "defaultAction": "SCMP_ACT_LOG"
+}
diff --git a/content/hi/examples/pods/security/seccomp/profiles/fine-grained.json b/content/hi/examples/pods/security/seccomp/profiles/fine-grained.json
@@ -0,0 +1,69 @@
+{
+    "defaultAction": "SCMP_ACT_ERRNO",
+    "architectures": [
+        "SCMP_ARCH_X86_64",
+        "SCMP_ARCH_X86",
+        "SCMP_ARCH_X32"
+    ],
+    "syscalls": [
+        {
+            "names": [
+                "accept4",
+                "epoll_wait",
+                "pselect6",
+                "futex",
+                "madvise",
+                "epoll_ctl",
+                "getsockname",
+                "setsockopt",
+                "vfork",
+                "mmap",
+                "read",
+                "write",
+                "close",
+                "arch_prctl",
+                "sched_getaffinity",
+                "munmap",
+                "brk",
+                "rt_sigaction",
+                "rt_sigprocmask",
+                "sigaltstack",
+                "gettid",
+                "clone",
+                "bind",
+                "socket",
+                "openat",
+                "readlinkat",
+                "exit_group",
+                "epoll_create1",
+                "listen",
+                "rt_sigreturn",
+                "sched_yield",
+                "clock_gettime",
+                "connect",
+                "dup2",
+                "epoll_pwait",
+                "execve",
+                "exit",
+                "fcntl",
+                "getpid",
+                "getuid",
+                "ioctl",
+                "mprotect",
+                "nanosleep",
+                "open",
+                "poll",
+                "recvfrom",
+                "sendto",
+                "set_tid_address",
+                "setitimer",
+                "writev",
+                "fstatfs",
+                "getdents64",
+                "pipe2",
+                "getrlimit"
+            ],
+            "action": "SCMP_ACT_ALLOW"
+        }
+    ]
+}
diff --git a/content/hi/examples/pods/security/seccomp/profiles/violation.json b/content/hi/examples/pods/security/seccomp/profiles/violation.json
@@ -0,0 +1,3 @@
+{
+    "defaultAction": "SCMP_ACT_ERRNO"
+}
