#+HashtagPLUS
In

Menu

We tested Copy Fail in Kubernetes: RuntimeDefault seccomp still allowed AF_ALG from pods
📰
0

We tested Copy Fail in Kubernetes: RuntimeDefault seccomp still allowed AF_ALG from pods

Reddit r/kubernetes·u/JulietSecurity·about 1 month ago
#swxSLefr
#kernel#af_alg#kubernetes#seccomp#runtimedefault#article
Reading 0:00
15s threshold

We tested Copy Fail in Kubernetes: RuntimeDefault seccomp still allowed AF_ALG from pods Copy Fail is the recent Linux kernel issue involving `AF_ALG`, the kernel crypto socket interface, and page-cache-backed file data. The short version: it is kernel attack surface reachable through a syscall path, not an application dependency inside an image. That matters for Kubernetes because pods share the host kernel. If a node kernel is affected, the question is not just "is my container image vulnerable?" It is "can a workload on this node reach the vulnerable kernel interface?" The specific Kubernetes question I wanted to answer was: if a pod is running with common hardening like PSS Restricted and `RuntimeDefault` seccomp, is the relevant kernel interface still reachable from inside the pod? In our Talos and EKS lab clusters, the answer was yes. `RuntimeDefault` did not deny `socket(AF_ALG, ...)`.…

Continue reading — create a free account

Join HashtagPLUS to read full articles, follow hashtags, vote, and join the conversation.

Create free accountLog in
Read More