Merge pull request #115898 from saschagrunert/seccomp-todo

Default to sandbox `Seccomp` field instead of `SeccompProfilePath`
This commit is contained in:
Kubernetes Prow Robot 2023-03-09 22:43:05 -08:00 committed by GitHub
commit 0018c07050
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 8 additions and 11 deletions

View File

@ -168,11 +168,8 @@ func (m *kubeGenericRuntimeManager) generatePodSandboxLinuxConfig(pod *v1.Pod) (
SecurityContext: &runtimeapi.LinuxSandboxSecurityContext{
Privileged: kubecontainer.HasPrivilegedContainer(pod),
// TODO: Deprecated, remove after we switch to Seccomp field
// Forcing sandbox to run as `runtime/default` allow users to
// use least privileged seccomp profiles at pod level. Issue #84623
SeccompProfilePath: v1.SeccompProfileRuntimeDefault,
Seccomp: &runtimeapi.SecurityProfile{
ProfileType: runtimeapi.SecurityProfile_RuntimeDefault,
},

View File

@ -67,39 +67,39 @@ func TestGeneratePodSandboxLinuxConfigSeccomp(t *testing.T) {
tests := []struct {
description string
pod *v1.Pod
expectedProfile string
expectedProfile v1.SeccompProfileType
}{
{
description: "no seccomp defined at pod level should return runtime/default",
pod: newSeccompPod(nil, nil, "", "runtime/default"),
expectedProfile: "runtime/default",
expectedProfile: v1.SeccompProfileTypeRuntimeDefault,
},
{
description: "seccomp field defined at pod level should not be honoured",
pod: newSeccompPod(&v1.SeccompProfile{Type: v1.SeccompProfileTypeUnconfined}, nil, "", ""),
expectedProfile: "runtime/default",
expectedProfile: v1.SeccompProfileTypeRuntimeDefault,
},
{
description: "seccomp field defined at container level should not be honoured",
pod: newSeccompPod(nil, &v1.SeccompProfile{Type: v1.SeccompProfileTypeUnconfined}, "", ""),
expectedProfile: "runtime/default",
expectedProfile: v1.SeccompProfileTypeRuntimeDefault,
},
{
description: "seccomp annotation defined at pod level should not be honoured",
pod: newSeccompPod(nil, nil, "unconfined", ""),
expectedProfile: "runtime/default",
expectedProfile: v1.SeccompProfileTypeRuntimeDefault,
},
{
description: "seccomp annotation defined at container level should not be honoured",
pod: newSeccompPod(nil, nil, "", "unconfined"),
expectedProfile: "runtime/default",
expectedProfile: v1.SeccompProfileTypeRuntimeDefault,
},
}
for i, test := range tests {
config, _ := m.generatePodSandboxLinuxConfig(test.pod)
actualProfile := config.SecurityContext.SeccompProfilePath
assert.Equal(t, test.expectedProfile, actualProfile, "TestCase[%d]: %s", i, test.description)
actualProfile := config.SecurityContext.Seccomp.ProfileType.String()
assert.EqualValues(t, test.expectedProfile, actualProfile, "TestCase[%d]: %s", i, test.description)
}
}