kubesec.io > index > .metadata .annotations ."seccomp.security.alpha.kubernetes.io/pod"

.metadata .annotations ."seccomp.security.alpha.kubernetes.io/pod"

Seccomp profiles are unconfined by default. Add a profile to set minimum privilege and secure against unknown threats

Seccomp is a system call filtering facility in the Linux kernel which lets applications define limits on system calls they may make, and what should happen when system calls are made. Seccomp is used to reduce the attack surface available to applications. source

Specify a Seccomp profile for all containers of the Pod:

seccomp.security.alpha.kubernetes.io/pod

Specify a Seccomp profile for an individual container:

container.seccomp.security.alpha.kubernetes.io/${container_name}

External Links

Seccomp Design doc
OCI Runtime Spec
Seccomp filtering at Kernel.org
Linux Seccomp examples