The Security Profiles Operator (SPO) is a Kubernetes SIG project that manages the lifecycle of seccomp, SELinux, and AppArmor profiles across a cluster. It turns low-level Linux security profiles into Kubernetes-native custom resources that can be distributed to every node and bound to workloads declaratively.
SPO installs a DaemonSet that syncs profiles onto each node’s local filesystem at the path that kubelet expects, so a SeccompProfile CR named nginx-restricted becomes a file under /var/lib/kubelet/seccomp/operator/... ready to be referenced by pod security context. Similar controllers handle SelinuxProfile (translating high-level rules into CIL and loading them via selinuxd) and AppArmorProfile. Beyond static distribution, SPO can record profiles at runtime: a ProfileRecording resource attaches eBPF or oci-hook-based recorders to selected pods, captures every syscall they make, and produces a minimal seccomp profile that represents exactly the workload’s real behavior — effectively automating what was previously a tedious manual audit.
SPO also exposes a webhook that can bind profiles to workloads via labels and a profile-binding mechanism for enforcing “every pod in this namespace must use this seccomp profile.” It is the standard way to deploy fine-grained kernel-level confinement on Kubernetes without maintaining node-level provisioning scripts, and is the project CIS and NSA Kubernetes hardening guides point to for runtime syscall restriction. It is Apache-2.0 licensed under kubernetes-sigs.