Container Runtime Security: seccomp, AppArmor, and EKS Pod Security

DevOps & CI/CD Jun 12, 2026 Palaniappan P 1 min read

Quick summary: Default Docker seccomp is not enough for regulated workloads. EKS Pod Security Standards, seccomp profiles, and Fargate platform version constraints.

Key Takeaways

EKS Pod Security Standards, seccomp profiles, and Fargate platform version constraints
EKS Pod Security Standards (June 2026) enforce restricted baseline via namespace labels—blocks privileged pods, host namespaces, and dangerous volume types
2
Scan top 10 images for
3

Table of Contents

EKS Pod Security Standards (June 2026) enforce restricted baseline via namespace labels—blocks privileged pods, host namespaces, and dangerous volume types.

seccomp / AppArmor

seccomp: syscall filter (RuntimeDefault or custom profile JSON)
AppArmor: path-based MAC (less common on AL2/ Bottlerocket; SELinux on some AMIs)

Fargate restricts capabilities further—verify platform version release notes before requiring custom seccomp.

AWS map

Control	Where
Admission	EKS PSS / OPA Gatekeeper / Kyverno
Image trust	ECR scanning + signing (Notation/Cosign)
Runtime threat	GuardDuty EKS protection

What to do this week

Label namespaces pod-security.kubernetes.io/enforce=restricted.
Scan top 10 images for CAP_SYS_ADMIN.
Document exceptions with security sign-off.

What this guide doesn’t cover

Network policies—see zero-trust VPC pattern.

Palaniappan P

AWS Cloud Architect & AI Expert

AWS-certified cloud architect and AI expert with deep expertise in cloud migrations, cost optimization, and generative AI on AWS.

AWS ArchitectureCloud MigrationGenAI on AWSCost OptimizationDevOps

Article Info

Updated this month

DevOps & CI/CD
Jun 12, 2026
1 min read
Palaniappan P

**EKS Pod Security Standards (June 2026)** enforce **restricted** baseline via namespace labels—blocks privileged pods, host namespaces, and dangerous volume types.

## seccomp / AppArmor

- **seccomp**: syscall filter (`RuntimeDefault` or custom profile JSON)
- **AppArmor**: path-based MAC (less common on AL2/ Bottlerocket; SELinux on some AMIs)

**Fargate** restricts capabilities further—verify platform version release notes before requiring custom seccomp.

## AWS map

| Control        | Where                                    |
| -------------- | ---------------------------------------- |
| Admission      | EKS PSS / OPA Gatekeeper / Kyverno       |
| Image trust    | ECR scanning + signing (Notation/Cosign) |
| Runtime threat | GuardDuty EKS protection                 |

## What to do this week

1. Label namespaces `pod-security.kubernetes.io/enforce=restricted`.
2. Scan top 10 images for `CAP_SYS_ADMIN`.
3. Document exceptions with security sign-off.

## What this guide doesn't cover

Network policies—see zero-trust VPC pattern.

Ask AI

ChatGPT Claude Perplexity Gemini

Need AWS Help?

Our certified AWS architects can help you implement the solutions discussed in this article.

Talk to an AWS Expert

Recommended Reading

Explore All Articles »

Service Mesh Traffic Shifting: VPC Lattice, Istio on EKS, and App Mesh EOL

DevOps & CI/CD

Jun 12, 2026 1 min

Service Mesh Traffic Shifting: VPC Lattice, Istio on EKS, and App Mesh EOL

App Mesh is legacy path—new meshes should start with VPC Lattice for AWS-native east-west or Istio on EKS when you need full L7 policy. Traffic shifting without duplicating load balancers per service.

Kubernetes Pod Disruption Budgets on EKS: Zero-Downtime Upgrades

DevOps & CI/CD

Jun 12, 2026 1 min

Kubernetes Pod Disruption Budgets on EKS: Zero-Downtime Upgrades

Cluster upgrades and Karpenter consolidation look healthy in the console while PDB-blocked evictions freeze your node drain for 45 minutes. This guide wires minAvailable, maxUnavailable, and EKS managed node group semantics.

How to Deploy EKS with Karpenter for Cost-Optimized Autoscaling

Cloud Architecture

Apr 3, 2026 9 min

How to Deploy EKS with Karpenter for Cost-Optimized Autoscaling

Karpenter replaces Kubernetes Cluster Autoscaler with intelligent bin-packing and just-in-time node provisioning. This guide covers setup, consolidation, cost optimization, and production patterns for EKS clusters.

Blue/Green vs Canary on AWS (2026): ECS, Lambda, and When Rolling Is Enough

DevOps & CI/CD

May 29, 2026 4 min

Blue/Green vs Canary on AWS (2026): ECS, Lambda, and When Rolling Is Enough

ECS CodeDeploy and Lambda aliases support both instant cutover and gradual shifts—but picking wrong costs you double Fargate spend or 21-day MTTR on muted alarms. This decision guide scores blue/green, canary, and rolling with a matrix and names App Mesh (EOL Sept 30, 2026) replacements.

AI & assistant-friendly summary

Summary

Key Facts

Entity Definitions

Related Content

seccomp / AppArmor

AWS map

What to do this week

What this guide doesn’t cover

Recommended Reading

Service Mesh Traffic Shifting: VPC Lattice, Istio on EKS, and App Mesh EOL

Kubernetes Pod Disruption Budgets on EKS: Zero-Downtime Upgrades

How to Deploy EKS with Karpenter for Cost-Optimized Autoscaling

Blue/Green vs Canary on AWS (2026): ECS, Lambda, and When Rolling Is Enough