Terraform Unconfined Seccomp Profile
Description
Detects Kubernetes configurations where containers are running with unconfined seccomp profiles or missing seccomp configurations. This creates a security risk by allowing containers unrestricted access to system calls, potentially enabling container escapes or system compromise.
Detection Strategy
• Inspects Kubernetes resource definitions (like Pod, Deployment, etc.) for container specifications
• Checks if securityContext.seccompProfile is explicitly set to 'unconfined'
• Identifies containers that do not specify any seccomp profile configuration
• Reports vulnerable configurations in container specs that allow unrestricted system calls
Vulnerable code example
resource "kubernetes_pod" "example" {
metadata {
name = "example-pod"
}
spec {
container {
name = "web"
image = "nginx"...✅ Secure code example
resource "kubernetes_pod" "example" {
metadata {
name = "example-pod"
}
spec {
automount_service_account_token = false # Prevent auto-mounting of service account tokens
container {
name = "web"...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.