From 44afb4aa5f9a863a857b4166bafb4c23fb016099 Mon Sep 17 00:00:00 2001 From: Saul Paredes Date: Fri, 26 Jan 2024 10:52:25 -0800 Subject: [PATCH] genpolicy: ignore SeccompProfile in PodSpec Ignore SeccompProfile in PodSpec Signed-off-by: Saul Paredes --- src/tools/genpolicy/src/pod.rs | 14 ++++++++++++++ .../runtimeclass_workloads/k8s-policy-pod.yaml | 3 +++ 2 files changed, 17 insertions(+) diff --git a/src/tools/genpolicy/src/pod.rs b/src/tools/genpolicy/src/pod.rs index cb64c0c7fb..737a3ca91b 100644 --- a/src/tools/genpolicy/src/pod.rs +++ b/src/tools/genpolicy/src/pod.rs @@ -283,6 +283,19 @@ struct SecurityContext { #[serde(skip_serializing_if = "Option::is_none")] runAsUser: Option, + + #[serde(skip_serializing_if = "Option::is_none")] + seccompProfile: Option, +} + +/// See Reference / Kubernetes API / Workload Resources / Pod. +#[derive(Clone, Debug, Serialize, Deserialize)] +struct SeccompProfile { + #[serde(rename = "type")] + profile_type: String, + + #[serde(skip_serializing_if = "Option::is_none")] + localhostProfile: Option, } /// See Reference / Kubernetes API / Workload Resources / Pod. @@ -860,6 +873,7 @@ pub async fn add_pause_container(containers: &mut Vec, config: &Confi privileged: None, capabilities: None, runAsUser: None, + seccompProfile: None, }), ..Default::default() }; diff --git a/tests/integration/kubernetes/runtimeclass_workloads/k8s-policy-pod.yaml b/tests/integration/kubernetes/runtimeclass_workloads/k8s-policy-pod.yaml index 2323e0536e..3fa203b854 100644 --- a/tests/integration/kubernetes/runtimeclass_workloads/k8s-policy-pod.yaml +++ b/tests/integration/kubernetes/runtimeclass_workloads/k8s-policy-pod.yaml @@ -24,3 +24,6 @@ spec: configMapKeyRef: name: policy-configmap key: data-2 + securityContext: + seccompProfile: + type: RuntimeDefault