All Products
Search

This Product

    Container Service for Kubernetes:Runtime security

    Document Center

    Container Service for Kubernetes:Runtime security

    Last Updated:Mar 26, 2026

    Runtime security provides active protection for running containers by detecting and blocking malicious activities before they affect your workloads.

    Limit syscalls with seccomp

    Secure computing mode (seccomp) protects the host kernel by intercepting syscalls and allowing only those in an allowlist. Unlike SELinux, seccomp is not designed to isolate containers — its purpose is to restrict the syscall surface available to container processes.

    Apply a seccomp profile to a pod

    Linux provides hundreds of syscalls, but most containers need only a small subset. Before creating a custom profile, identify which syscalls your application actually uses:

    1. Use strace to generate a stack trace and record which syscalls your application makes.

    2. Use syscall2seccomp to convert the trace data into a seccomp profile.

    Docker and containerd both ship with a default seccomp profile that works for most general-purpose workloads. See the default seccomp profile for the full allowlist.

    To apply the default profile to a pod, add the following to your pod specification:

    • Kubernetes 1.19 and later (recommended):

      securityContext:
  seccompProfile:
    type: RuntimeDefault

    • Kubernetes earlier than 1.19:

      annotations:
  seccomp.security.alpha.kubernetes.io/pod: "runtime/default"

    Enable RuntimeDefault cluster-wide with SeccompDefault

    The SeccompDefault feature gate automatically applies the RuntimeDefault seccomp profile to all pods on a node, without requiring per-pod configuration.

    Availability: Alpha in Kubernetes 1.22, generally available (GA) in Kubernetes 1.27.

    Important

    The SeccompDefault feature gate is disabled by default in Kubernetes 1.22–1.24. Test this feature on a non-production node before enabling it cluster-wide.

    To enable SeccompDefault on a node:

    1. In the kubelet configuration file, add the --feature-gates parameter and set SeccompDefault=true. This step is required for Kubernetes 1.22–1.24 only.

    2. Add the --seccomp-default parameter to the kubelet configuration file.

    3. Restart the kubelet.

    After enabling the feature, all pods deployed on that node automatically use the node runtime's default seccomp profile. Syscalls outside the default profile allowlist are blocked.

    Consider Linux capabilities before configuring seccomp

    Linux capabilities divide kernel privileges into discrete units, each corresponding to checks on specific kernel functions. When a capability check fails, the relevant syscall returns an error. seccomp works as a syscall filter applied before syscalls run — a process can set up a seccomp filter to revoke permissions for specific syscalls or arguments.

    Before building a seccomp profile, assess whether adding or removing Linux capabilities addresses your security requirements. In many cases, capability adjustments are simpler and sufficient. See Set capabilities for a container for guidance.

    Use third-party tools for ongoing profile management

    Creating and maintaining custom seccomp and AppArmor profiles requires in-depth Linux security expertise. If the default runtime profile does not meet your requirements and you are not familiar with Linux security internals, consider a commercial third-party solution. These tools use machine learning to detect and alert on abnormal behavior, which provides stronger coverage than static profiles alone.

    Detect workload security risks with ACK inspection

    Container Service for Kubernetes (ACK) clusters include a built-in inspection feature that continuously scans workloads for security risks. The inspection report shows failed items alongside actionable suggestions, giving your security operations and maintenance (O&M) team a prioritized view of what to fix.

    Detect and block runtime threats with Security Center

    Alibaba Cloud Security Center integrates with ACK to provide runtime threat detection and response across cloud-native applications, securing each pod's runtime environment.

    Security Center:

    • Automatically collects threat intelligence from cloud-native applications, traces threat origins, and responds to incidents

    • Correlates multiple log types and analyzes context to detect risks in real time, including malicious code or command execution, SQL injections, and data breaches

    • Audits actions based on Kubernetes logs and operations logs to detect container escapes, AccessKey breaches, and unauthorized access across ACK and other orchestration platforms

    For more information, see What is Security Center?