# This week in Cloud Native 007
Date: Aug 16th, 2021
Host: @mauilion
### COC
This is an official livestream of the CNCF, and as such is subject to the CNCF Code of Conduct. Please do not add anything to the chat or questions that would be in violation of that code of conduct; basically, please be respectful of all of your fellow participants and presenters.
### "Registration for KubeCon + CloudNativeCon North America 2021 is now open for in-person and virtual! To explore all registration options, click the link here: https://bit.ly/2SkSzIT. Hope to see you there!"
* Schedule is [live](https://events.linuxfoundation.org/kubecon-cloudnativecon-north-america/program/schedule/)
### This week on cloudnative.tv!
#### [Playlists for your favorite shows.](https://www.youtube.com/c/cloudnativefdn/playlists)
#### New content every day of the week
CloudNative.tv this week
* [securekubernetes.com with Kaslin](https://twitter.com/kaslinfields/status/1425895255790870528?s=20)
### Kubernetes!
* [API removals in v1.22](https://kubernetes.io/blog/2021/07/14/upcoming-changes-in-kubernetes-1-22/)
* [blog.k8s.io](https://blog.k8s.io)
### Kubernetes CVEs
* [The security announce group](https://groups.google.com/g/kubernetes-security-announce)
### CNCF Things!
* [eBPF Foundation!](https://isovalent.com/blog/post/2021-08-ebpf-foundation-announcement)
* [Kubernetes Weekly](https://www.cncf.io/kubeweekly/)
* August 19: Manage thousands of K8s applications with minimal efforts using KubeCarrier presented by Jiacheng Xu, Kubermatic - [RSVP](https://community.cncf.io/e/mnnusu/?utm_source=hs_email&utm_medium=email&_hsenc=p2ANqtz-_ckiweFAdKBIOcW5S6JhyXrQ51TNGofpbLgbVmWMznXWAuL2gN-T8W12OYSpNwDoRNraW7)
* August 19: Meshery - The Service Mesh manager presented by Lee Calcote, Layer5 - [RSVP](https://community.cncf.io/e/mpmnw6/?utm_source=hs_email&utm_medium=email&_hsenc=p2ANqtz-_ckiweFAdKBIOcW5S6JhyXrQ51TNGofpbLgbVmWMznXWAuL2gN-T8W12OYSpNwDoRNraW7)
* August 19: Crossing the boundary - Hybrid Kubernetes clusters with Wireguard presented by Andrew Rynhard & Sean McCord, Talos Systems - [RSVP](https://community.cncf.io/e/m4ssjf/?utm_source=hs_email&utm_medium=email&_hsenc=p2ANqtz-_ckiweFAdKBIOcW5S6JhyXrQ51TNGofpbLgbVmWMznXWAuL2gN-T8W12OYSpNwDoRNraW7)
## Playtime!
* [runtime default seccomp!](https://kubernetes.io/docs/tutorials/clusters/seccomp/)
What's Seccomp?
https://docs.docker.com/engine/security/seccomp/
What capabilities do I have in unconfined?
What about docker defaults?
What about containerd?
capsh?
amicontained?
new feature gate that sets runtime default!
### unconfined
Current: = cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap+eip
Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap
Ambient set =
Securebits: 00/0x0/1'b0
secure-noroot: no (unlocked)
secure-no-suid-fixup: no (unlocked)
secure-keep-caps: no (unlocked)
secure-no-ambient-raise: no (unlocked)
uid=0(root)
gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
#### filtered
Seccomp: disabled
Blocked Syscalls (20):
MSGRCV SYSLOG SETSID VHANGUP PIVOT_ROOT ACCT SETTIMEOFDAY SWAPON SWAPOFF REBOOT SETHOSTNAME SETDOMAINNAME INIT_MODULE DELETE_MODULE LOOKUP_DCOOKIE KEXEC_LOAD FANOTIFY_INIT OPEN_BY_HANDLE_AT FINIT_MODULE KEXEC_FILE_LOAD
### Runtime default
Current: = cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap+eip
Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap
Ambient set =
Securebits: 00/0x0/1'b0
secure-noroot: no (unlocked)
secure-no-suid-fixup: no (unlocked)
secure-keep-caps: no (unlocked)
secure-no-ambient-raise: no (unlocked)
uid=0(root)
gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
#### limits
Seccomp: filtering
Blocked Syscalls (60):
MSGRCV SYSLOG SETSID USELIB USTAT SYSFS VHANGUP PIVOT_ROOT _SYSCTL ACCT SETTIMEOFDAY MOUNT UMOUNT2 SWAPON SWAPOFF REBOOT SETHOSTNAME SETDOMAINNAME IOPL IOPERM CREATE_MODULE INIT_MODULE DELETE_MODULE GET_KERNEL_SYMS QUERY_MODULE QUOTACTL NFSSERVCTL GETPMSG PUTPMSG AFS_SYSCALL TUXCALL SECURITY LOOKUP_DCOOKIE CLOCK_SETTIME VSERVER MBIND SET_MEMPOLICY GET_MEMPOLICY KEXEC_LOAD ADD_KEY REQUEST_KEY KEYCTL MIGRATE_PAGES UNSHARE MOVE_PAGES PERF_EVENT_OPEN FANOTIFY_INIT NAME_TO_HANDLE_AT OPEN_BY_HANDLE_AT SETNS PROCESS_VM_READV PROCESS_VM_WRITEV KCMP FINIT_MODULE KEXEC_FILE_LOAD BPF USERFAULTFD PKEY_MPROTECT PKEY_ALLOC PKEY_FREE
### containerd
Current: = cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap+eip
### filtered
Container Runtime: docker
Has Namespaces:
pid: true
user: false
AppArmor Profile: unconfined
Capabilities:
BOUNDING -> chown dac_override fowner fsetid kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap
Seccomp: disabled
Blocked Syscalls (20):
MSGRCV SYSLOG SETSID VHANGUP PIVOT_ROOT ACCT SETTIMEOFDAY SWAPON SWAPOFF REBOOT SETHOSTNAME SETDOMAINNAME INIT_MODULE DELETE_MODULE LOOKUP_DCOOKIE KEXEC_LOAD FANOTIFY_INIT OPEN_BY_HANDLE_AT FINIT_MODULE KEXEC_FILE_LOAD
### References:
https://github.com/JimBugwadia/pod-security-tests
Sign in with Wallet
Connect another wallet