Skip to main content

AI & assistant-friendly summary

This section provides structured content for AI assistants and search engines. You can cite or summarize it when referencing this page.

Summary

Default Docker seccomp is not enough for regulated workloads. EKS Pod Security Standards, seccomp profiles, and Fargate platform version constraints.

Key Facts

  • EKS Pod Security Standards, seccomp profiles, and Fargate platform version constraints
  • EKS Pod Security Standards (June 2026) enforce restricted baseline via namespace labels—blocks privileged pods, host namespaces, and dangerous volume types
  • 2
  • Scan top 10 images for
  • 3

Entity Definitions

VPC
VPC is an AWS service discussed in this article.
EKS
EKS is an AWS service discussed in this article.
GuardDuty
GuardDuty is an AWS service discussed in this article.
Docker
Docker is a development tool discussed in this article.

Related Content

Container Runtime Security: seccomp, AppArmor, and EKS Pod Security

DevOps & CI/CD Palaniappan P 1 min read

Quick summary: Default Docker seccomp is not enough for regulated workloads. EKS Pod Security Standards, seccomp profiles, and Fargate platform version constraints.

Key Takeaways

  • EKS Pod Security Standards, seccomp profiles, and Fargate platform version constraints
  • EKS Pod Security Standards (June 2026) enforce restricted baseline via namespace labels—blocks privileged pods, host namespaces, and dangerous volume types
  • 2
  • Scan top 10 images for
  • 3
Container Runtime Security: seccomp, AppArmor, and EKS Pod Security
Table of Contents

EKS Pod Security Standards (June 2026) enforce restricted baseline via namespace labels—blocks privileged pods, host namespaces, and dangerous volume types.

Benchmark pattern (hypothetical workload) — EKS Pod Security Standards (restricted), seccomp RuntimeDefault blocks 94% of container breakout syscalls in Falco simulation; Fargate enforces platform seccomp, custom profile requires EKS managed node group.

Symptom → mechanism → AWS control

Production symptomMechanismAWS control
Container escape via syscallUnrestricted syscall surfaceEKS Pod Security Standards restricted, seccomp profile
Privileged pod deployedNo admission controlOPA Gatekeeper / Kyverno deny privileged
Fargate can’t use custom seccompFargate platform-managed runtimeEKS managed nodes for custom seccomp/AppArmor

Opinionated take: Enforce EKS Pod Security Standards ‘restricted’ in production namespaces—Fargate gives you platform seccomp free, but custom profiles need managed nodes.

seccomp / AppArmor

  • seccomp: syscall filter (RuntimeDefault or custom profile JSON)
  • AppArmor: path-based MAC (less common on AL2/ Bottlerocket; SELinux on some AMIs)

Fargate restricts capabilities further—verify platform version release notes before requiring custom seccomp.

AWS services map

ControlWhere
AdmissionEKS PSS / OPA Gatekeeper / Kyverno
Image trustECR scanning + signing (Notation/Cosign)
Runtime threatGuardDuty EKS protection

What to do this week

  1. Label namespaces pod-security.kubernetes.io/enforce=restricted.
  2. Scan top 10 images for CAP_SYS_ADMIN.
  3. Document exceptions with security sign-off.

More in This Track

Part of the Engineering Guides library (June 2026).

What this guide doesn’t cover

Network policies—see zero-trust VPC pattern.

Share:
PP
Palaniappan P

AWS Cloud Architect & AI Expert

AWS-certified cloud architect and AI expert with deep expertise in cloud migrations, cost optimization, and generative AI on AWS.

AWS ArchitectureCloud MigrationGenAI on AWSCost OptimizationDevOps

Recommended Reading

Explore All Articles »