Support seccomp profile from container's security context #49178
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
k8s-github-robot
added
size/M
k8s-github-robot
added
size/L
k8s-github-robot
added
size/XL
|
/unassign |
feiskyer
changed the title
|
/assign @yujuhong |
feiskyer
force-pushed
the
seccomp-impl
branch
2 times, most recently
from
944ed1a to
f0b8578
Compare
k8s-github-robot
added
size/L
|
@yujuhong Rebased. PTAL. |
|
/test pull-kubernetes-e2e-gce-etcd3 |
cmd/kubelet/app/server.go
Outdated
| @@ -983,7 +983,7 @@ func RunDockershim(c *componentconfig.KubeletConfiguration, r *options.Container | |||
| SupportedPortForwardProtocols: streaming.DefaultConfig.SupportedPortForwardProtocols, | |||
| } | |||
|
|
|||
| ds, err := dockershim.NewDockerService(dockerClient, c.SeccompProfileRoot, r.PodSandboxImage, | |||
| ds, err := dockershim.NewDockerService(dockerClient, r.PodSandboxImage, | |||
There was a problem hiding this comment.
nit: Could you rearrange this a little bit? Since this line get shorter now.
pkg/kubelet/kuberuntime/helpers.go
Outdated
| @@ -255,3 +256,30 @@ func getSysctlsFromAnnotations(annotations map[string]string) (map[string]string | |||
|
|
|||
| return sysctls, nil | |||
| } | |||
|
|
|||
| // getSeccompProfileFromAnnotations gets seccomp profile from annotations. | |||
| // It gets pod's profile if containerName is null. | |||
pkg/kubelet/kubelet.go
Outdated
| @@ -572,7 +572,7 @@ func NewMainKubelet(kubeCfg *componentconfig.KubeletConfiguration, kubeDeps *Dep | |||
| case kubetypes.DockerContainerRuntime: | |||
| // Create and start the CRI shim running as a grpc server. | |||
| streamingConfig := getStreamingConfig(kubeCfg, kubeDeps) | |||
| ds, err := dockershim.NewDockerService(kubeDeps.DockerClient, kubeCfg.SeccompProfileRoot, crOptions.PodSandboxImage, | |||
| ds, err := dockershim.NewDockerService(kubeDeps.DockerClient, crOptions.PodSandboxImage, | |||
| expectedOpts: []string{`seccomp={"foo":"bar"}`}, | ||
| expectErr: false, | ||
| msg: "Seccomp localhost/test profile", | ||
| seccompProfile: "localhost/fixtures/seccomp/test", |
There was a problem hiding this comment.
At least add comment to explain that we are abusing localhost/ for test now, because fixtures/seccomp/test is not an absolute path.
|
|
||
| return []dockerOpt{{"seccomp", b.String(), msg}}, nil | ||
| } | ||
|
|
||
| // getSeccompSecurityOpts gets container seccomp options from container and sandbox | ||
| // config, currently from sandbox annotations. | ||
| // getSeccompSecurityOpts gets container seccomp options from container security context. |
There was a problem hiding this comment.
from container seccomp profile?
|
|
||
| if strings.HasPrefix(profile, "localhost/") { | ||
| name := strings.TrimPrefix(profile, "localhost/") | ||
| fname := filepath.Join(m.seccompProfileRoot, filepath.FromSlash(name)) |
|
@feiskyer Several questions:
As for 1), one option is to convert However, I discussed this with @yujuhong today, we think that user may really be expecting "Docker" default. We should not silently convert Ideally, we should have kubelet default, and pass this default to runtime. However, that requires Kubernetes api change. So for now, we can only keep passing |
|
/retest Review the full test history for this PR. |
3 similar comments
|
/retest Review the full test history for this PR. |
|
/retest Review the full test history for this PR. |
|
/retest Review the full test history for this PR. |
k8s-github-robot
removed
the
lgtm
|
Made a rebase to fix the pull-kubernetes-verify problem. |
|
/retest |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Random-Liu, feiskyer Associated issue: 46332 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
|
/test all [submit-queue is verifying that this PR is safe to merge] |
|
@Random-Liu Thanks. |
|
/retest |
|
Automatic merge from submit-queue |
@feiskyer @Random-Liu this is not correct btw, CRI-O has its own seccomp profile which can actually be used. CRI-O isn't going to error out, but calling |
|
@runcom: GitHub didn't allow me to request PR reviews from the following users: rhatdan. Note that only kubernetes members can review this PR, and authors cannot review their own PRs. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@runcom, kubelet passes the seccomp profile name from the Kubernetes API to the runtime directly. The exact profile name used in the pod annotation is |
|
BTW, there is ongoing work to define a default profile for kuberentes: kubernetes/community#660 |
What this PR does / why we need it:
Support seccomp profile from container's security context, followup of #46332.
Which issue this PR fixes
fixes #46332.
Special notes for your reviewer:
Depends on #49179. (already merged)Release note: