-
Notifications
You must be signed in to change notification settings - Fork 40.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support seccomp profile from container's security context #49178
Conversation
/unassign |
/assign @yujuhong |
944ed1a
to
f0b8578
Compare
@yujuhong Rebased. PTAL. |
/test pull-kubernetes-e2e-gce-etcd3 |
cmd/kubelet/app/server.go
Outdated
@@ -983,7 +983,7 @@ func RunDockershim(c *componentconfig.KubeletConfiguration, r *options.Container | |||
SupportedPortForwardProtocols: streaming.DefaultConfig.SupportedPortForwardProtocols, | |||
} | |||
|
|||
ds, err := dockershim.NewDockerService(dockerClient, c.SeccompProfileRoot, r.PodSandboxImage, | |||
ds, err := dockershim.NewDockerService(dockerClient, r.PodSandboxImage, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: Could you rearrange this a little bit? Since this line get shorter now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ack
pkg/kubelet/kuberuntime/helpers.go
Outdated
@@ -255,3 +256,30 @@ func getSysctlsFromAnnotations(annotations map[string]string) (map[string]string | |||
|
|||
return sysctls, nil | |||
} | |||
|
|||
// getSeccompProfileFromAnnotations gets seccomp profile from annotations. | |||
// It gets pod's profile if containerName is null. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/null/empty.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ack
pkg/kubelet/kubelet.go
Outdated
@@ -572,7 +572,7 @@ func NewMainKubelet(kubeCfg *componentconfig.KubeletConfiguration, kubeDeps *Dep | |||
case kubetypes.DockerContainerRuntime: | |||
// Create and start the CRI shim running as a grpc server. | |||
streamingConfig := getStreamingConfig(kubeCfg, kubeDeps) | |||
ds, err := dockershim.NewDockerService(kubeDeps.DockerClient, kubeCfg.SeccompProfileRoot, crOptions.PodSandboxImage, | |||
ds, err := dockershim.NewDockerService(kubeDeps.DockerClient, crOptions.PodSandboxImage, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ack
expectedOpts: []string{`seccomp={"foo":"bar"}`}, | ||
expectErr: false, | ||
msg: "Seccomp localhost/test profile", | ||
seccompProfile: "localhost/fixtures/seccomp/test", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
At least add comment to explain that we are abusing localhost/
for test now, because fixtures/seccomp/test
is not an absolute path.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ack
|
||
return []dockerOpt{{"seccomp", b.String(), msg}}, nil | ||
} | ||
|
||
// getSeccompSecurityOpts gets container seccomp options from container and sandbox | ||
// config, currently from sandbox annotations. | ||
// getSeccompSecurityOpts gets container seccomp options from container security context. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
from container seccomp profile?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ack
|
||
if strings.HasPrefix(profile, "localhost/") { | ||
name := strings.TrimPrefix(profile, "localhost/") | ||
fname := filepath.Join(m.seccompProfileRoot, filepath.FromSlash(name)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should add localhost/
.
@feiskyer Several questions:
As for 1), one option is to convert However, I discussed this with @yujuhong today, we think that user may really be expecting "Docker" default. We should not silently convert Ideally, we should have kubelet default, and pass this default to runtime. However, that requires Kubernetes api change. So for now, we can only keep passing |
/retest Review the full test history for this PR. |
3 similar comments
/retest Review the full test history for this PR. |
/retest Review the full test history for this PR. |
/retest Review the full test history for this PR. |
Made a rebase to fix the pull-kubernetes-verify problem. |
/retest |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Random-Liu, feiskyer Associated issue: 46332 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
/test all [submit-queue is verifying that this PR is safe to merge] |
@Random-Liu Thanks. |
/retest |
Automatic merge from submit-queue |
@feiskyer @Random-Liu this is not correct btw, CRI-O has its own seccomp profile which can actually be used. CRI-O isn't going to error out, but calling |
@runcom: GitHub didn't allow me to request PR reviews from the following users: rhatdan. Note that only kubernetes members can review this PR, and authors cannot review their own PRs. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@runcom, kubelet passes the seccomp profile name from the Kubernetes API to the runtime directly. The exact profile name used in the pod annotation is |
BTW, there is ongoing work to define a default profile for kuberentes: kubernetes/community#660 |
What this PR does / why we need it:
Support seccomp profile from container's security context, followup of #46332.
Which issue this PR fixes
fixes #46332.
Special notes for your reviewer:
Depends on #49179. (already merged)Release note: