Runtime security provides active protection for running containers. It detects and prevents malicious activities in running containers to enhance the security of containerized applications.
Use seccomp to limit containerized applications from making syscalls to the kernel
Configure a container or a pod to use the seccomp profile
The Linux operating system provides hundreds of syscalls, but most of the syscalls are not required to run containers. To get started with seccomp, use strace to generate a stack trace and check which syscalls your application is making. Then, use a tool such as syscall2seccomp to create a seccomp profile from the data collected from the trace. For more information, see strace and syscall2seccomp.
Unlike SELinux, seccomp is not designed to isolate containers. However, seccomp can protect the host kernel against unauthorized syscalls. seccomp intercepts syscalls and allows only syscalls that are included in the whitelist. Docker has a default seccomp profile, which is suitable for most general-purpose workloads. Containerd also contains a default seccomp profile. For more information, see Default seccomp profile.
You can configure a container or a pod to use the default seccomp profile by adding the following annotation to the specifications of the container or pod:
Versions earlier than Kubernetes 1.19:
annotations: seccomp.security.alpha.kubernetes.io/pod: "runtime/default"Kubernetes 1.19 and later versions:
securityContext: seccompProfile: type: RuntimeDefault
Enable the RuntimeDefault feature
Only Kubernetes version later than 1.22 support this feature. SeccompDefault entered the Alpha stage in open source version 1.22 and became generally available (GA) in open source version 1.27. Before you enable and use this feature in a production environment, confirm the Kubernetes version of your cluster. Use the following method to enable this feature:
The SeccompDefault feature is disabled by default in Kubernetes versions 1.22 to 1.24. You can add the
--feature-gatesparameter and set it totruein the kubelet configuration file of the node to enable the feature gate.Add the
--seccomp-defaultparameter in the kubelet configuration file of the node to enable the RuntimeDefault feature.Restart the kubelet to enable the feature.
After you enable the feature, pods deployed on the node automatically use the default seccomp profile provided by the node runtime. Syscalls that are not in the default profile whitelist are unavailable. You must test the feature before you use it in a production cluster.
Use a third-party solution to maintain seccomp and AppArmor profiles
If the default seccomp profile provided by the runtime cannot meet your business requirements, you can use a custom seccomp profile. Creating and managing seccomp and AppArmor profiles can be difficult if you are not familiar with Linux security. If you cannot maintain seccomp and AppArmor profiles on your own, you can choose to use a commercial solution provided by a third party. These third-party solutions use machine learning to block or alert abnormal activities, which is more secure than static profiles such as Apparmor and seccomp.
Add or remove Linux capabilities before you configure seccomp policies
Capabilities involve various checks on kernel functions that are reachable through syscalls. In most cases, if a kernel function fails the check, the syscall returns an error. The check can be performed at the beginning of a specific syscall, or in areas of the kernel that may be reachable through different syscalls, such as writing to a specific privileged file. Seccomp is also a syscall filter, which is applied to all syscalls before the syscalls are run. A process can set up a filter, which allows seccomp to revoke the permissions to run specific syscalls or specific arguments for specific syscalls.
Before you get started with seccomp, you must consider whether you can gain control over applications by adding or removing Linux capabilities. For more information, see Set capabilities for a container.
Use the inspection feature to detect security risks in workloads
Container Service for Kubernetes (ACK) clusters provide the inspection feature to help you detect security risks in workloads in real time. An inspection report can be provided to the security O&M engineer. After the inspection is complete, you can view the failed inspection items and suggestions in the inspection report. This improves the security of the workloads.
Use Alibaba Cloud Security Center
You can use Security Center to detect and block threats in runtimes of cloud-native applications. This secures the runtime of each pod. Security Center can automatically obtain information about threats in cloud-native applications and use the information to analyze the threats, identify the sources of the threats, generate suitable responses, and handle the threats. Security Center also associates different types of logs, analyzes contexts, and detects risks in real time, such as malicious code or command execution, SQL injections, and data breaches. This can help prevent intrusions and identify vulnerabilities in your business systems. Security Center can audit actions and identify risks in real time based on Kubernetes logs and operations logs. This helps you mitigate the risks of container escapes, AccessKey breaches, and unauthorized access in ACK and other orchestration platforms. For more information, see What is Security Center?