Pod has the docker/default (RuntimeDefault) seccomp profile at pod level or for all containers
core_seccomp_profile_docker_default
Kubernetes Pods and their containers specify the runtime default seccomp profile using seccompProfile.type: RuntimeDefault in the security context.
The evaluation looks for this setting at the Pod level or per container.
Risk
Without seccomp RuntimeDefault, containers may run unconfined and invoke risky syscalls, expanding the kernel attack surface.
- Container escape, privilege escalation (integrity)
- Data access or exfiltration (confidentiality)
- Node or workload disruption (availability)
prowler kubernetes --checks core_seccomp_profile_docker_default
Recommendation
Enforce least privilege for syscalls:
- Set
seccompProfile.type: RuntimeDefaulton Pods/containers - Use tailored profiles for sensitive workloads
- Avoid privileged or unconfined containers; drop unused capabilities
- Combine with AppArmor/SELinux and policy guardrails to enforce and audit
Remediation
kubectl patch deployment <example_resource_name> --type=merge -p '{"spec":{"template":{"spec":{"securityContext":{"seccompProfile":{"type":"RuntimeDefault"}}}}}}'
-
Open the manifest of your workload (Deployment/StatefulSet/Pod)
-
Under the Pod spec, add:
spec: securityContext: seccompProfile: type: RuntimeDefault
- For controllers (e.g., Deployment), place this under spec.template.spec
-
Apply the change: kubectl apply -f <your_manifest.yaml>
-
Wait for pods to restart and confirm the setting on new pods
Source Code
Resource Type
Pod