Add Seccomp to Annotations #25324
Add Seccomp to Annotations #25324
Conversation
k8s-github-robot
added
kind/api-change
| @@ -1362,6 +1362,8 @@ type PodSecurityContext struct { | |||
| // Use the host's ipc namespace. | |||
| // Optional: Default to false. | |||
| HostIPC bool `json:"hostIPC,omitempty"` | |||
| // The SeccompProfile is the seccomp profile this pod should run under. | |||
There was a problem hiding this comment.
I'd appreciate a comment about the semantics wrt the per-container value and the per-pod value. Is it a total override? Additive? Subtractive?
There was a problem hiding this comment.
I need to define that in the proposal, I want total override personally.
There was a problem hiding this comment.
This should be a name right now to match the proposal, I do not want to specify these profiles inline -- it makes the policy much harder to write.
There was a problem hiding this comment.
Will update!
On Monday, May 9, 2016, Paul Morie notifications@github.com wrote:
In pkg/api/types.go
#25324 (comment)
:@@ -1362,6 +1362,8 @@ type PodSecurityContext struct {
// Use the host's ipc namespace.
// Optional: Default to false.
HostIPC booljson:"hostIPC,omitempty"
- // The SeccompProfile is the seccomp profile this pod should run under.
This should be a name right now to match the proposal, I do not want to
specify these profiles inline -- it makes the policy much harder to write.—
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub
https://github.com/kubernetes/kubernetes/pull/25324/files/ec54b7e13bbd79087fb34f0973f4482c0150c9c6#r62559109
Jessie Frazelle
4096R / D4C4 DD60 0D66 F65A 8EFC 511E 18F3 685C 0022 BFF3
pgp.mit.edu http://pgp.mit.edu/pks/lookup?op=get&search=0x18F3685C0022BFF3
|
I just scanned for API style, not full code review. @erictune since this is VERY similar (and totally different impl) than the apparmor stuff we discussed. |
|
ok to test |
k8s-github-robot
added
the
needs-rebase
|
@jfrazelle proposal is merged so you should be able to update with confidence from that now. We are trying to get LGTM on all 1.3 features today. |
|
Will do as sson as done with work! sorry! On Mon, May 23, 2016 at 11:40 AM, Paul Morie notifications@github.com
Jessie Frazelle |
| @@ -949,18 +946,33 @@ func (dm *DockerManager) checkVersionCompatibility() error { | |||
| return nil | |||
| } | |||
|
|
|||
| func (dm *DockerManager) getDefaultSecurityOpt() ([]string, error) { | |||
| func (dm *DockerManager) getSecurityOpt(container *api.Container) ([]string, error) { | |||
There was a problem hiding this comment.
Look for the annotation on the pod for this container (needs to be changed to accept the pod)
The precedent should be:
- container-specific annotation, if any
- pod-level annotation, if any
- default (unconfined?)
|
updated and added tests |
k8s-github-robot
removed
the
needs-rebase
pmorie
added
the
release-note
|
@jfrazelle Looks like you need to run |
|
ah my b |
|
LGTM. Let's do E2E coverage in a follow-up. Appreciate the effort getting this in for 1.3! |
|
Did I miss another generation is that why the test is failing? |
|
@jfrazelle more generation/verification fun: |
|
ah got it On Tue, May 24, 2016 at 10:05 AM, Andy Goldstein notifications@github.com
Jessie Frazelle |
|
@jfrazelle squash please? |
Signed-off-by: Jess Frazelle <me@jessfraz.com>
|
done |
pmorie
added
the
lgtm
|
LGTM, thanks! |
|
Nooooooooooooooo :( |
Hmm, looks like you hit this: #26270 |
|
@k8s-bot e2e test this issue: #IGNORE will try to investigate if time permits |
|
GCE e2e build/test passed for commit aa8c72a. |
|
Yay! thanks! On Thu, May 26, 2016 at 10:51 AM, Alex Mohr notifications@github.com
Jessie Frazelle |
| return nil, err | ||
| } | ||
|
|
||
| return []string{fmt.Sprintf("seccomp=%s", b.Bytes())}, nil |
There was a problem hiding this comment.
Should this really be the compacted file content or the filename itself? Compare https://docs.docker.com/engine/security/seccomp/
There was a problem hiding this comment.
Yes it needs to be the file contents. The docker cli takes a file name,
reads its contents, and transmits the contents to the daemon.
On Wednesday, June 8, 2016, Dr. Stefan Schimanski notifications@github.com
wrote:
In pkg/kubelet/dockertools/manager.go
#25324 (comment)
:
- if !strings.HasPrefix(profile, "localhost") {
return nil, fmt.Errorf("unknown seccomp profile option: %s", profile)- }
- file, err := ioutil.ReadFile(filepath.Join(dm.seccompProfileRoot, strings.TrimPrefix(profile, "localhost/")))
- if err != nil {
return nil, err- }
- b := bytes.NewBuffer(nil)
- if err := json.Compact(b, file); err != nil {
return nil, err- }
- return []string{fmt.Sprintf("seccomp=%s", b.Bytes())}, nil
Should this really be the compacted file content or the filename itself?
Compare https://docs.docker.com/engine/security/seccomp/—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
https://github.com/kubernetes/kubernetes/pull/25324/files/aa8c72adaaab6cba51ff868516ac5b423a95f069#r66230042,
or mute the thread
https://github.com/notifications/unsubscribe/AAABYoMSK4m547F8EFFS3otQ56-RjCKAks5qJpe1gaJpZM4IZwJt
.
This is a WIP of #24602, with some included changes to that proposal that I mentioned on it. For the most part those changes are that instead of passing the path to the profiles, the
SeccompProfilestruct is passed to the API. This way if usingkubectlyou can pass a local profile.Things left to do:
kubectl, mostly wondering about the design on this oneThis is my first PR to kubernetes so without a doubt some test somewhere will probably fail ;)