containers, programming, golang, hacks, kubernetes, productivity, books
This post shows how you can enable seccomp on all the Pods that are deployed with Prometheus Operator
Seccomp helps us limit the system calls the process inside container can make. And PodSecurityPolicy is the way to enable it on pods in Kubernetes.
Understanding the seccomp profile json format
A large number of system calls are exposed to every userland process with many of them going unused for the entire lifetime of the process. A certain subset of userland applications benefit by having a reduced set of available system calls. The resulting set reduces the total kernel surface exposed to the application. System call filtering is meant for use with those applications. Seccomp filtering provides a means for a process to specify a filter for incoming system calls.
I am a Senior Software Engineer at Microsoft, working on various tooling around container technology like Docker, Kubernetes, etc.