| title | weight | description |
|---|---|---|
Installation |
10 |
How to install.
|
Seccomp Agent is a DaemonSet deployed in the cluster and relies on new features in runc.
System Requirements:
- Linux kernel >= 5.9
- Libseccomp >= 2.5.2 (>=2.5.2 recommended)
- Runc >= 1.1.0
- Docker from git(needs to include this PR)
- Or if you are using containerd instead of docker, containerd >=1.5.5(>=1.6.0-rc.1 recommended)
Recommended:
- Flatcar Container Linux >= 3127.0.0
- containerd >= 1.6.0-rc1
- Security Profiles Operator (SPO) >= v0.4.1 (unreleased) or from git main
To ensure you have installed correct version of container runtime that support seccomp notify, use the command below:
strings $(which dockerd) | grep listenerPath
or if you are using containerd as your runtime
strings $(which containerd) | grep listenerPath
If the output is empty, it means your container runtime haven't enabled the feature of seccomp notify. Please check the requirements again in case you missed one.
In the docs/terraform directory, you can find terraform files to start a
Kubernetes cluster with the required dependencies.
Please see the Azure tutorial from the Typhoon documentation.
kubectl apply -f deploy/seccompagent.yaml
If you use the Security Profiles Operator (SPO), you can deploy a Seccomp Profile with kubectl:
kubectl apply -f docs/profiles/notify-dangerous.yaml
Otherwise, you can install docs/profiles/notify-dangerous.json on the worker
nodes manually, in the /var/lib/kubelet/seccomp/ directory.
Start a new pod:
kubectl apply -f docs/examples/pod.yaml