Red Hat Summit Red Hat Summit지원콘솔개발자평가판 시작연락처

이 콘텐츠는 선택한 언어로 제공되지 않습니다.

Chapter 33. Restricting Application Capabilities Using Seccomp

33.1. Overview
링크 복사

Seccomp (secure computing mode) is used to restrict the set of system calls applications can make, allowing cluster administrators greater control over the security of workloads running in OpenShift Container Platform.

Seccomp support is achieved via two annotations in the pod configuration:

  • seccomp.security.alpha.kubernetes.io/pod: profile applies to all containers in the pod that do not override
  • container.seccomp.security.alpha.kubernetes.io/<container_name>: container-specific profile override
Important

Containers are run with unconfined seccomp settings by default.

For detailed design information, refer to the seccomp design document.

33.2. Enabling Seccomp
링크 복사

Seccomp is a feature of the Linux kernel. To ensure seccomp is enabled on your system, run: 

$ cat /boot/config-`uname -r` | grep CONFIG_SECCOMP=
CONFIG_SECCOMP=y
Copy to Clipboard Toggle word wrap

33.3. Configuring OpenShift Container Platform for Seccomp
링크 복사

A seccomp profile is a json file providing syscalls and the appropriate action to take when a syscall is invoked.

  1. Create the seccomp profile.

    The default profile is sufficient in many cases, but the cluster administrator must define the security constraints of an individual system.

    To create your own custom profile, create a file on every node in the seccomp-profile-root directory.

    If you are using the default docker/default profile, you do not need to create one.

  2. Configure your nodes to use the seccomp-profile-root directory to store your profiles using the kubeletArguments in the appropriate node configuration map: 

    kubeletArguments:
  seccomp-profile-root:
    - "/your/path"
    Copy to Clipboard Toggle word wrap

  3. Restart the node service to apply the changes: 

    # systemctl restart atomic-openshift-node
    Copy to Clipboard Toggle word wrap

  4. In order to control which profiles may be used, and to set the default profile, configure your SCC via the seccompProfiles field. The first profile will be used as a default.

    The allowable formats of the seccompProfiles field include:

    • docker/default: the default profile for the container runtime (no profile required)
    • unconfined: unconfined profile, and disables seccomp

    • localhost/<profile-name>: the profile installed to the node’s local seccomp profile root

      For example, if you are using the default docker/default profile, configure your SCC with: 

      seccompProfiles:
- docker/default
      Copy to Clipboard Toggle word wrap

33.4. Configuring OpenShift Container Platform for a Custom Seccomp Profile
링크 복사

To ensure pods in your cluster run with a custom profile:

  1. Create the seccomp profile in seccomp-profile-root.

  2. Configure seccomp-profile-root: 

    kubeletArguments:
  seccomp-profile-root:
    - "/your/path"
    Copy to Clipboard Toggle word wrap

  3. Restart the node service to apply the changes: 

    # systemctl restart atomic-openshift-node
    Copy to Clipboard Toggle word wrap

  4. Configure your SCC: 

    seccompProfiles:
- localhost/<profile-name>
    Copy to Clipboard Toggle word wrap
맨 위로 이동
Red Hat logoGithubredditYoutubeTwitter

자세한 정보

평가판, 구매 및 판매

커뮤니티

Red Hat 문서 정보

Red Hat을 사용하는 고객은 신뢰할 수 있는 콘텐츠가 포함된 제품과 서비스를 통해 혁신하고 목표를 달성할 수 있습니다. 최신 업데이트를 확인하세요.

보다 포괄적 수용을 위한 오픈 소스 용어 교체

Red Hat은 코드, 문서, 웹 속성에서 문제가 있는 언어를 교체하기 위해 최선을 다하고 있습니다. 자세한 내용은 다음을 참조하세요.Red Hat 블로그.

Red Hat 소개

Red Hat은 기업이 핵심 데이터 센터에서 네트워크 에지에 이르기까지 플랫폼과 환경 전반에서 더 쉽게 작업할 수 있도록 강화된 솔루션을 제공합니다.

Theme

© 2025 Red Hat