Harden containers with seccomp profiles, AppArmor in Kubernetes, rootless containers, Pod Security Admission, and Linux capability dropping.
0 / 5 completed
1 / 5
What does a seccomp profile in Kubernetes restrict?
seccomp in Kubernetes: apply via securityContext.seccompProfile.type: RuntimeDefault (the container runtime's default profile) or Localhost with a custom profile path. The default profile blocks ~47 dangerous syscalls. The Unconfined setting (the historical default) allows all syscalls — a significant risk if a container is exploited.
2 / 5
What is AppArmor and how is it applied to Kubernetes pods?
AppArmor in Kubernetes: the profile must be loaded on the node where the pod runs. container.apparmor.security.beta.kubernetes.io/app: localhost/my-profile annotation applies it. AppArmor profiles can enforce that a container only reads files in /app and cannot access /etc/passwd, restricting lateral movement after a container compromise.
3 / 5
What are rootless containers and how do they reduce the impact of a container escape?
Rootless containers: Podman's default mode and rootless Docker use user namespaces. Inside the container, the process appears to run as root (UID 0), but on the host it maps to an unprivileged UID (e.g. 100000). A container escape yields a process with the permissions of a regular user, not root — dramatically reducing the blast radius.
4 / 5
What is Pod Security Admission (PSA) and what replaced Pod Security Policies?
Pod Security Admission: namespaces are labelled with pod-security.kubernetes.io/enforce: restricted. The Restricted profile requires non-root containers, disallows privilege escalation, enforces seccomp RuntimeDefault, and drops all Linux capabilities. Violations are rejected at admission time, enforcing security standards without custom webhooks.
5 / 5
What does dropping Linux capabilities achieve in container security?
Capability dropping:securityContext.capabilities.drop: ["ALL"] removes all capabilities; then add back only what the application needs: add: ["NET_BIND_SERVICE"] for a server binding to port 80. This is the principle of least privilege applied at the kernel privilege level, available even in rooted containers.