Whats the recommended way to apply custom seccomp policies?

[netjordan]

We have a need to run chrome headless in kubernetes, and their suggestion (https://github.com/Zenika/alpine-chrome#-the-best-with-seccomp) is to use a custom seccomp policy which they have applied. What would be the best/easiest way to use this? From what I understand this JSON file needs to be present on the underlying host and then referenced by any containers wishing to use it.

[arnaldo2792]

Hello @netjordan, I think you should be able to use bootstrap containers to create the seccomp profiles that you need in /var/lib/kubernetes/profiles and then follow the instructions here to select the seccomp profile you want for your workloads.

I haven't tested this, but there aren't any restrictions in place for Bootstrap containers to put files in /var/lib/kubernetes/*, so theoretically this should work, I'll test it and come back to you (or you can give it a spin and if you beat me share the results 🐎 !).

[netjordan]

We're still struggling trying to get chrome to run (separate issues due to the way it does it's own sandboxing) - however worth noting the correct location for the seccomp profiles is /var/lib/kubelet/seccomp/profiles/ - not tried this with a bootstrap container yet

[arnaldo2792]

Sorry, I'm giving this a spin now, I'll comment shortly with my findings.

[arnaldo2792]

Ok, I tested what I commented above, and I confirmed that seccomp filters can be overridden with seccomp filters provided through bootstrap containers. This is what I did:

Create a bootstrap container that provides the seccomp filter, e.g:

FROM alpine
ENV SECCOMP_FILTER_PATH=/var/lib/seccomp/filters
ENV K8S_SECCOMP_FILTER_PATH=/var/lib/kubelet/seccomp/profiles
RUN mkdir -p "${SECCOMP_FILTER_PATH}"
COPY profiles/* ${SECCOMP_FILTER_PATH}/
COPY entrypoint /usr/bin/entrypoint
RUN chmod +x /usr/bin/entrypoint
ENTRYPOINT ["entrypoint"]

With entrypoint as:

#!/usr/bin/env sh

BOTTLEROCKET_ROOTFS_PREFIX="/.bottlerocket/rootfs"
FILTERS_FULL_PATH="${BOTTLEROCKET_ROOTFS_PREFIX}${K8S_SECCOMP_FILTER_PATH}"

# Create filters path
mkdir -p ${FILTERS_FULL_PATH}

# Copy filter
cp ${SECCOMP_FILTER_PATH}/* "${FILTERS_FULL_PATH}"

And in filters, I added the audit.json and violation.json profiles provided in the k8s page linked above.

Then, I launched a k8s workload with this pod yaml definition:

apiVersion: v1
kind: Pod
metadata:
  name: violation-pod
  labels:
    app: violation-pod
spec:
  securityContext:
    seccompProfile:
      type: Localhost
      localhostProfile: profiles/violation.json
  containers:
  - name: test-container
    image: hashicorp/http-echo:0.2.3
    args:
    - "-text=just made some syscalls!"
    securityContext:
      allowPrivilegeEscalation: false

And I confirmed that the pod failed to start:

NAME            READY   STATUS             RESTARTS        AGE
violation-pod   0/1     CrashLoopBackOff   5 (2m33s ago)   5m27s

So you can create a json file, with the seccomp profile suggested in the Github project you linked, put it in /var/lib/kubelet/seccomp/profiles through a bootstrap container, and use it in your workloads 👍

[bcressey]

You can also use an Init Container to add the seccomp policy to this path, which may be preferable as it uses native Kubernetes functionality rather than depending on a Bottlerocket feature.