--- apiVersion: security-profiles-operator.x-k8s.io/v1beta1 kind: SeccompProfile metadata: name: profile-block-all namespace: seccomp-test annotations: description: "Blocks all syscalls." spec: defaultAction: "SCMP_ACT_ERRNO" --- apiVersion: security-profiles-operator.x-k8s.io/v1beta1 kind: SeccompProfile metadata: name: profile-complain-unsafe namespace: seccomp-test annotations: description: "UNSAFE: Allows all syscalls whilst logging their use. Similar to running as unconfined in terms of enforcement." spec: defaultAction: "SCMP_ACT_LOG" --- apiVersion: security-profiles-operator.x-k8s.io/v1beta1 kind: SeccompProfile metadata: name: profile-allow-unsafe namespace: seccomp-test annotations: description: "UNSAFE: Allows all syscalls. Similar to running as unconfined as it provides no enforcement." spec: defaultAction: "SCMP_ACT_ALLOW" --- apiVersion: security-profiles-operator.x-k8s.io/v1beta1 kind: SeccompProfile metadata: name: profile-complain-block-high-risk namespace: seccomp-test annotations: description: "Enables complain mode whilst blocking high-risk syscalls. Some essential syscalls are allowed to decrease log noise." spec: defaultAction: SCMP_ACT_LOG architectures: - SCMP_ARCH_X86_64 syscalls: - action: SCMP_ACT_ALLOW names: - exit - exit_group - futex - nanosleep - action: SCMP_ACT_ERRNO names: - acct - add_key - bpf - clock_adjtime - clock_settime - create_module - delete_module - finit_module - get_kernel_syms - get_mempolicy - init_module - ioperm - iopl - kcmp - kexec_file_load - kexec_load - keyctl - lookup_dcookie - mbind - mount - move_pages - name_to_handle_at - nfsservctl - open_by_handle_at - perf_event_open - personality - pivot_root - process_vm_readv - process_vm_writev - ptrace - query_module - quotactl - reboot - request_key - set_mempolicy - setns - settimeofday - stime - swapoff - swapon - _sysctl - sysfs - umount2 - umount - unshare - uselib - userfaultfd - ustat - vm86old - vm86