KKloud TarusKKloud Tarus
  • Blog
  • Series
  • Team
  • About

Blog

Thoughts on engineering, design, and building great products.

SeriesAll postsseccompAIAPFAPIAPI GatewayARPAWSAdmissionAffinityAggregationAnsibleAppArmorArchitectureAuthenticationAuthorization
seccomp-bpf: Classic BPF Filtering Sysca...
SecurityContainer

seccomp-bpf: Classic BPF Filtering Syscalls in Every Container

Before eBPF there was cBPF — classic BPF, the thing tcpdump uses. And it's still running: seccomp-bpf filters syscalls with cBPF, the foundational sandbox layer of containers. This article distinguishes cBPF from eBPF, inspects real seccomp on the cluster (pause containers and CSI sidecars restricted, privileged pods not), then writes a cBPF filter that blocks mkdir with EPERM — eight instructions on struct seccomp_data, installed with prctl, blocking for real while printf still runs.

K
KaiMay 24, 2026· 18 views
Seccomp, AppArmor and Capabilities
DevOpsSecurity

Seccomp, AppArmor and Capabilities

Article 54 made pods declare runAsNonRoot, drop ALL capabilities, seccomp RuntimeDefault — but that's only Kubernetes-level policy. This article goes to the kernel layer to see what they actually do: read /proc/self/status from two pods, one default and one hardened, comparing CapEff, Seccomp, NoNewPrivs, AppArmor. Then prove by hand that dropping a capability blocks a specific operation — chown is denied even when the container still runs as root.

K
KaiMay 24, 2026· 27 views
KKloud TarusKKloud Tarus

Explore. Build. Share.

  • Blog
  • Team
  • About
© 2026 KKloud Tarus. All rights reserved.