Merge pull request #115898 from saschagrunert/seccomp-todo

Default to sandbox `Seccomp` field instead of `SeccompProfilePath`
2025-07-23 03:41:45 +00:00 · 2023-03-09 22:43:05 -08:00 · 2023-03-09 22:43:05 -08:00 · 0018c07050
commit 0018c07050
parent beacb8d7af 58923c9f1a
2 changed files with 8 additions and 11 deletions
--- a/pkg/kubelet/kuberuntime/kuberuntime_sandbox.go
+++ b/pkg/kubelet/kuberuntime/kuberuntime_sandbox.go
@ -168,11 +168,8 @@ func (m *kubeGenericRuntimeManager) generatePodSandboxLinuxConfig(pod *v1.Pod) (
 		SecurityContext: &runtimeapi.LinuxSandboxSecurityContext{
 			Privileged: kubecontainer.HasPrivilegedContainer(pod),

-			// TODO: Deprecated, remove after we switch to Seccomp field
 			// Forcing sandbox to run as `runtime/default` allow users to
 			// use least privileged seccomp profiles at pod level. Issue #84623
-			SeccompProfilePath: v1.SeccompProfileRuntimeDefault,
-
 			Seccomp: &runtimeapi.SecurityProfile{
 				ProfileType: runtimeapi.SecurityProfile_RuntimeDefault,
 			},
--- a/pkg/kubelet/kuberuntime/kuberuntime_sandbox_test.go
+++ b/pkg/kubelet/kuberuntime/kuberuntime_sandbox_test.go
@ -67,39 +67,39 @@ func TestGeneratePodSandboxLinuxConfigSeccomp(t *testing.T) {
 	tests := []struct {
 		description     string
 		pod             *v1.Pod
-		expectedProfile string
+		expectedProfile v1.SeccompProfileType
 	}{
 		{
 			description:     "no seccomp defined at pod level should return runtime/default",
 			pod:             newSeccompPod(nil, nil, "", "runtime/default"),
-			expectedProfile: "runtime/default",
+			expectedProfile: v1.SeccompProfileTypeRuntimeDefault,
 		},
 		{
 			description:     "seccomp field defined at pod level should not be honoured",
 			pod:             newSeccompPod(&v1.SeccompProfile{Type: v1.SeccompProfileTypeUnconfined}, nil, "", ""),
-			expectedProfile: "runtime/default",
+			expectedProfile: v1.SeccompProfileTypeRuntimeDefault,
 		},
 		{
 			description:     "seccomp field defined at container level should not be honoured",
 			pod:             newSeccompPod(nil, &v1.SeccompProfile{Type: v1.SeccompProfileTypeUnconfined}, "", ""),
-			expectedProfile: "runtime/default",
+			expectedProfile: v1.SeccompProfileTypeRuntimeDefault,
 		},
 		{
 			description:     "seccomp annotation defined at pod level should not be honoured",
 			pod:             newSeccompPod(nil, nil, "unconfined", ""),
-			expectedProfile: "runtime/default",
+			expectedProfile: v1.SeccompProfileTypeRuntimeDefault,
 		},
 		{
 			description:     "seccomp annotation defined at container level should not be honoured",
 			pod:             newSeccompPod(nil, nil, "", "unconfined"),
-			expectedProfile: "runtime/default",
+			expectedProfile: v1.SeccompProfileTypeRuntimeDefault,
 		},
 	}

 	for i, test := range tests {
 		config, _ := m.generatePodSandboxLinuxConfig(test.pod)
-		actualProfile := config.SecurityContext.SeccompProfilePath
-		assert.Equal(t, test.expectedProfile, actualProfile, "TestCase[%d]: %s", i, test.description)
+		actualProfile := config.SecurityContext.Seccomp.ProfileType.String()
+		assert.EqualValues(t, test.expectedProfile, actualProfile, "TestCase[%d]: %s", i, test.description)
 	}
 }