k8s默认seccomp禁用研究

CVE-2022-0185 in Linux Kernel Can Allow Container Escape in s

root@ubutest2:/# pscap -a
ppid pid   name       command           capabilities
0     1     root       bash             chown, dac_override, fowner, fsetid, kill, setgid, setuid, setpcap, net_bind_service, net_raw, sys_chroot, mknod, audit_write, setfcap

root@ubutest2:/# unshare -r
# pscap -a
ppid pid   name       command           capabilities
0     1     root       bash             chown, dac_override, fowner, fsetid, kill, setgid, setuid, setpcap, net_bind_service, net_raw, sys_chroot, mknod, audit_write, setfcap
1     270   root       sh               full

实践

通过下面命令启动一个容器

apiVersion: v1
kind: Pod
metadata:
  name: hello-apparmor
  annotations:
    # Tell Kubernetes to apply the AppArmor profile "k8s-apparmor-example-deny-write".
    # Note that this is ignored if the Kubernetes node is not running version 1.4 or greater.
    container.apparmor.security.beta.kubernetes.io/hello: unconfined
spec:
  containers:
  - name: hello
    image: busybox:1.28
    command: [ "sh", "-c", "echo 'Hello AppArmor!' && sleep 1h" ]