Failed to create pod sandbox: rpc error: code = Unknown desc = seccomp is not enabled in your kernel, cannot run with a profile Failed to create pod sandbox: rpc error: code = Unknown desc = seccomp is not enabled in your kernel, cannot run with a profile kubernetes kubernetes

Failed to create pod sandbox: rpc error: code = Unknown desc = seccomp is not enabled in your kernel, cannot run with a profile


kubernetes seccomp cri-o

Kubernetes Dashboard Deployment yaml the seccomp by default is set to seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'

This means it's using default container runtime profile which we can read here

The use of seccomp profiles in pods can be controlled via annotations on the PodSecurityPolicy. Seccomp is an alpha feature in Kubernetes.

seccomp.security.alpha.kubernetes.io/defaultProfileName - Annotation that specifies the default seccomp profile to apply to containers. Possible values are:

  • unconfined - Seccomp is not applied to the container processes (this is the default in Kubernetes), if no alternative is provided.
  • runtime/default - The default container runtime profile is used.
  • docker/default - The Docker default seccomp profile is used. Deprecated as of Kubernetes 1.11. Use runtime/default instead.
  • localhost/<path> - Specify a profile as a file on the node located at <seccomp_root>/<path>, where <seccomp_root> is defined via the --seccomp-profile-root flag on the Kubelet.

There is a github issue for Unexpected behavior with empty seccomp profile.In the discussion @saschagrunert mentions:

... Generally it was not possible for me to find any generalized description of:

  • If a profile is specified to a pod, it applies to all containers as well
    (only supported by seccomp right now)
  • If a profile is specified to a container, it overwrites the pods profile
  • We always default to runtime/default

I really would like to enforce this from a security perspective and document it properly in a dedicated security section inside this repository. WDYT?

Btw, we should probably push for GA grauduation of seccomp and AppArmor to get a first class API inside the securityContext, like we have for SELinux. See: https://kubernetes.io/docs/tutorials/clusters/apparmor/#upgrade-path-to-general-availability

As already mentioned by @CptBuko, he manged a workaround for himself by setting seccomp.security.alpha.kubernetes.io/pod: unconfined which is not applying seccomp to the container processes.

Recent Posts
How can I color dots in a xy scatterplot according to column value?
How to update a claim in ASP.NET Identity?
What does {0} mean when initializing an object?
Accessing members of items in a JSONArray with Java
How to log SQL statements in Spring Boot?
Powershell Get-WebSite name parameter is ignored
How to detect scroll to bottom of html element
Java synchronized method
How to test controllers with CodeIgniter?
Detect Visual Composer
Matplotlib: Specify format of floats for tick labels
Rails join a list of strings with commas and "and" before the last