Kernel Hardening: AppArmor and seccomp

RBAC controls who can talk to the API server. Network policies control which Pods can talk to each other. But once a container process is running, neither mechanism restricts what that process does on the node. A compromised container that gains code execution can call any syscall the kernel exposes: mount filesystems, trace other processes, load kernel modules. The attack surface is the entire Linux kernel.

Two kernel-level mechanisms close that gap. AppArmor confines which files and network resources a process can access. seccomp filters which system calls a process can make. Together they enforce mandatory access control at the kernel boundary, constraining containers even if an attacker escapes Kubernetes-level protections.