---
title: Container Runtime Security: seccomp, AppArmor, and EKS Pod Security
description: Default Docker seccomp is not enough for regulated workloads. EKS Pod Security Standards, seccomp profiles, and Fargate platform version constraints.
url: https://www.factualminds.com/blog/container-runtime-security-seccomp-apparmor-eks-fargate/
datePublished: 2026-06-12T00:00:00.000Z
dateModified: 2026-06-12T00:00:00.000Z
author: Palaniappan P
category: DevOps & CI/CD
tags: engineering-guide, security, kubernetes, eks, aws
---

# Container Runtime Security: seccomp, AppArmor, and EKS Pod Security

> Default Docker seccomp is not enough for regulated workloads. EKS Pod Security Standards, seccomp profiles, and Fargate platform version constraints.

**EKS Pod Security Standards (June 2026)** enforce **restricted** baseline via namespace labels—blocks privileged pods, host namespaces, and dangerous volume types.

## seccomp / AppArmor

- **seccomp**: syscall filter (`RuntimeDefault` or custom profile JSON)
- **AppArmor**: path-based MAC (less common on AL2/ Bottlerocket; SELinux on some AMIs)

**Fargate** restricts capabilities further—verify platform version release notes before requiring custom seccomp.

## AWS map

| Control        | Where                                    |
| -------------- | ---------------------------------------- |
| Admission      | EKS PSS / OPA Gatekeeper / Kyverno       |
| Image trust    | ECR scanning + signing (Notation/Cosign) |
| Runtime threat | GuardDuty EKS protection                 |

## What to do this week

1. Label namespaces `pod-security.kubernetes.io/enforce=restricted`.
2. Scan top 10 images for `CAP_SYS_ADMIN`.
3. Document exceptions with security sign-off.

## What this guide doesn't cover

Network policies—see zero-trust VPC pattern.

---

*Source: https://www.factualminds.com/blog/container-runtime-security-seccomp-apparmor-eks-fargate/*