Configure Seccomp profiles for pod security
This document describes how to configure Kubernetes Seccomp (Secure Computing Mode) profiles for Apigee hybrid pods to enhance security by restricting the system calls (syscalls) that containers are allowed to make.
About Seccomp profiles in Kubernetes
Seccomp is a Linux kernel security feature that limits the system calls a process can make. When used with Kubernetes, you can apply Seccomp profiles to a pod'ssecurityContext to restrict the syscalls available to its containers. This helps reduce the attack surface of the container and mitigates the risk of container breakouts or privilege escalation by enforcing the principle of least privilege.
For more information on Seccomp in Kubernetes, seeSecure Computing (Seccomp) in the Kubernetes documentation.
In hybrid, Seccomp profiles arenot enabled by default. You can choose to apply a Seccomp profile to hybrid components by adding theseccompProfile object to youroverrides.yaml file.
Configuring Seccomp profiles
You can apply Seccomp profiles globally, per environment, or per component in youroverrides.yaml file by adding thesecurityContext.seccompProfile configuration block. hybrid supports the following Seccomp profile types:
RuntimeDefault: The default profile specified by the container runtime. This is the recommended option, as it provides a reasonable level of security while maintaining compatibility for most workloads.Unconfined: Applies no Seccomp restrictions to the pod. This is the least secure option and should be used with caution.
Localhost profile type is not supported in this release of hybrid.Configuration precedence
You can set theseccompProfile at the following levels inoverrides.yaml. Component-level settings take precedence over environment-level settings, and environment-level settings take precedence over global settings:
- Component level: Applies to a specific component (for example,
runtimeorcassandra). - Environment level: Applies to all components within a specific environment defined in the
envs[]array, unless overridden at the component level. - Global level: Applies to all components in the cluster, unless overridden at the environment or component level.
Examples
Global configuration
To apply theRuntimeDefault Seccomp profile to all components that do not have an environment- or component-level override, add the following to the top level of youroverrides.yaml:
securityContext:seccompProfile:type:RuntimeDefault
Environment configuration
To apply theRuntimeDefault Seccomp profile to all components in a specific environment, add the configuration under theenvs[] element:
envs:-name:"my-environment"securityContext:seccompProfile:type:RuntimeDefault...
Component configuration
To apply theRuntimeDefault Seccomp profile to a specific component (for example, the runtime component), add the configuration under that component:
runtime:securityContext:seccompProfile:type:RuntimeDefault...
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-19 UTC.