TF 0480 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Runtime/Default Seccomp profile not set
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
Description
The Kubernetes pod or container is missing the RuntimeDefault seccomp profile, which means system call filtering is not enforced according to security best practices. This configuration leaves the workload with an overly permissive security posture.
Impact
Without the RuntimeDefault seccomp profile, containers are exposed to a broader set of system calls, increasing the risk that an attacker could exploit kernel vulnerabilities or escalate privileges if the container is compromised. This weakens pod isolation and could allow unauthorized actions on the host system.
Resolution
Set 'spec.securityContext.seccompProfile.type', 'spec.containers[].securityContext.seccompProfile' and 'spec.initContainers[].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.