AKS Introduces Seccomp for Enhanced Container Security

Azure Kubernetes Service (AKS) has announced the integration of Seccomp profiles to bolster the security of container workloads. Seccomp, a Linux kernel feature, restricts the system calls (SYSCALLS) that containers can perform, thereby enhancing security.

How Seccomp Profiles Work

A Seccomp profile specifies which system calls are allowed or rejected for a specific container. AKS supports two values for Seccomp profiles:

• RuntimeDefault: Uses the default seccomp profile specified for the runtime.
• Unconfined: Allows all system calls.

Setting Up Seccomp Profiles in AKS

To configure Seccomp profiles in the AKS node pool, refer to the documentation on Linux security features. Custom profiles can be created to meet specific workload requirements. It’s crucial to test the impact on workloads and ensure that essential system calls are not blocked.

Troubleshooting Blocked System Calls with Inspektor Gadget

Inspektor Gadget is an open-source tool that helps diagnose issues related to blocked system calls. By installing and running the kubectl gadget run audit_seccomp command, you can gain visibility into the blocked system calls affecting your containers.

Commonly Blocked System Calls

Certain system calls are commonly blocked by default profiles. It’s important to consider the following:

• clock_settime or clock_adjtime: Ensure these are not blocked if accurate time synchronization is required.
• add_key or key_ctl: These manage key operations and should not be blocked if key management is needed.
• clone: This syscall is crucial for creating new namespaces and should be allowed if necessary.
• io_uring: This syscall is blocked in containerd 2.0 but not in 1.7.

Next Steps

If workloads fail due to blocked system calls, consider creating a custom Seccomp profile tailored to your application’s needs. Use Inspektor Gadget to audit and troubleshoot Seccomp profiles effectively.