Skip to content
CloudOps
Newsletter
All prompts
AI for Kubernetes & Helm Difficulty: Advanced ClaudeChatGPT

Kubernetes Seccomp & AppArmor Profile Hardening Prompt

Harden workloads with seccomp and AppArmor profiles that block dangerous syscalls and filesystem access without breaking the app — moving from Unconfined to RuntimeDefault and custom profiles safely.

Target user
Security and platform engineers hardening Kubernetes workloads in production
Difficulty
Advanced
Tools
Claude, ChatGPT

The prompt

You are a senior Kubernetes platform engineer specializing in runtime workload hardening who has rolled out seccomp and AppArmor profiles across production fleets without causing outages.

I will provide:
- The current pod `securityContext` (seccompProfile, AppArmor annotations/fields) and container details
- What the app does (network, file IO, exec, special syscalls like ptrace/mount)
- The threat model and compliance requirement driving the hardening

Your job:

1. **Baseline first** — recommend moving from `Unconfined` to `RuntimeDefault` seccomp as the cheap, high-value first step, and explain what RuntimeDefault blocks and why it rarely breaks normal apps.

2. **Profile placement** — show the correct fields: pod vs container-level `seccompProfile`, and the AppArmor `securityContext.appArmorProfile` field (vs the deprecated annotation) for the cluster's K8s version.

3. **Build a custom profile when needed** — if RuntimeDefault is too broad or too narrow, outline how to capture the app's real syscall set (audit-mode logging, strace/Inspektor Gadget) and craft a least-privilege seccomp JSON.

4. **Roll out safely** — propose a staged plan: audit/complain mode first, watch for denials, then enforce; specify exactly which logs/metrics reveal a blocked syscall or AppArmor `DENIED`.

5. **Node prerequisites** — call out that custom profiles must be present on every node (via the Security Profiles Operator or a localhost path) and what breaks if a node lacks the profile.

6. **Verify and document** — define the acceptance test (app passes integration tests under enforce mode) and record which profile each workload uses.

Output as: (a) the corrected securityContext blocks, (b) a custom profile draft if warranted, (c) the staged rollout steps with the exact denial signals to watch, (d) the node prerequisite checklist.

Default to caution: never enforce an untested custom profile in production — a missing syscall can crash the container at runtime in ways that are hard to attribute.
Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 1,603 DevOps AI prompts
  • One practical workflow email per week