Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Proposal: spec the seccomp profile format #39128

Closed
feiskyer opened this issue Dec 22, 2016 · 3 comments
Closed

Proposal: spec the seccomp profile format #39128

feiskyer opened this issue Dec 22, 2016 · 3 comments
Assignees
@dims
Labels
area/security sig/node Categorizes an issue or PR as relevant to SIG Node.

Comments

@feiskyer
Copy link
Member

Seccomp is supported by annotations today in both kubernetes api (#25324) and CRI (#33500):

  • security.alpha.kubernetes.io/seccomp/container/<container name> for containers
  • and security.alpha.kubernetes.io/seccomp/pod for pod

The candidate values includelocalhost/<profile-name>, which indicates the profile installed to the node's local seccomp profile root.

So from the API, only the profile path is defined and the profile format is not defined clearly.

Althoughthe docker's seccomp profile format is supposed at the beginng time, we are adding other runtimes by CRI, so it's time to spec the seccomp profile format clearly.

candidate formats

There are three candidate formats in my opinion (please let me know if I missed others):

  • oci seccomp (also reference runc's seccomp
  • docker's seccomp: docker's seccomp of v1.10~1.12 is same with oci seccomp, but it introduces ArchMap in v1.13.
  • define a new one of kubernetes

I prefer to define a new one based on oci seccomp and add ArchMap to it because of

  • more stable api
  • and not missing features according different runtimes

@euank @yujuhong @Random-Liu @timstclair @mrunalp WDYT

cc/ @kubernetes/sig-node-misc
@feiskyer feiskyer mentioned this issue Dec 22, 2016
Closed
@yujuhong yujuhong added area/security sig/node Categorizes an issue or PR as relevant to SIG Node. labels Jan 4, 2017
@feiskyer feiskyer mentioned this issue Jan 5, 2017
Closed
This was referenced May 24, 2017
Merged
Closed
Closed
k8s-github-robot pushed a commit that referenced this issue Jul 17, 2017
Merge pull request #46332 from feiskyer/Seccomp
10dc1aa 
Automatic merge from submit-queue

Kubelet CRI: move seccomp from annotations to security context

**What this PR does / why we need it**:

This is the final step for #39130, which moves seccomp from annotations to linux container security context. And it also fixes #36997 by set the full seccomp profile path for node-installed profiles.

Note it doesn't include spec the seccomp profile format, which should be addressed at #39128. And a following PR is required for implementing in kuberuntime and dockershim.

**Which issue this PR fixes** 

Fixes #39130
Fixes #36997

**Special notes for your reviewer**:

**Release note**:
```release-note
Kubelet CRI: move seccomp from annotations to security context.
```
@runcom runcom mentioned this issue Jul 18, 2017
Closed
@feiskyer feiskyer mentioned this issue Aug 11, 2017
Merged
This was referenced Sep 23, 2017
Closed
Closed
@mikebrow
Copy link
Member

mikebrow commented Sep 23, 2017
edited
Loading

I prefer to stay with the OCI spec, so we don't have to define a new one and can use one that is a standard. Just to note your link to runc is actually pointing to the libcontainer format. Runc has a spec converter that converts the OCI spec to libcontainer. For example, this is where the syscall names[] array is exploded into []syscalls with a name.

@dims
Copy link
Member

dims commented Oct 21, 2017

@feiskyer can we close this one in favor of #52827 ?

@dims
Copy link
Member

dims commented Jan 9, 2018

The issue above has more details.

/close

@pjbgf pjbgf mentioned this issue Sep 25, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dims dims

Labels
area/security sig/node Categorizes an issue or PR as relevant to SIG Node.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@dims @feiskyer @yujuhong @mikebrow @k8s-ci-robot