mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-23 03:41:45 +00:00
Merge pull request #115898 from saschagrunert/seccomp-todo
Default to sandbox `Seccomp` field instead of `SeccompProfilePath`
This commit is contained in:
commit
0018c07050
@ -168,11 +168,8 @@ func (m *kubeGenericRuntimeManager) generatePodSandboxLinuxConfig(pod *v1.Pod) (
|
||||
SecurityContext: &runtimeapi.LinuxSandboxSecurityContext{
|
||||
Privileged: kubecontainer.HasPrivilegedContainer(pod),
|
||||
|
||||
// TODO: Deprecated, remove after we switch to Seccomp field
|
||||
// Forcing sandbox to run as `runtime/default` allow users to
|
||||
// use least privileged seccomp profiles at pod level. Issue #84623
|
||||
SeccompProfilePath: v1.SeccompProfileRuntimeDefault,
|
||||
|
||||
Seccomp: &runtimeapi.SecurityProfile{
|
||||
ProfileType: runtimeapi.SecurityProfile_RuntimeDefault,
|
||||
},
|
||||
|
@ -67,39 +67,39 @@ func TestGeneratePodSandboxLinuxConfigSeccomp(t *testing.T) {
|
||||
tests := []struct {
|
||||
description string
|
||||
pod *v1.Pod
|
||||
expectedProfile string
|
||||
expectedProfile v1.SeccompProfileType
|
||||
}{
|
||||
{
|
||||
description: "no seccomp defined at pod level should return runtime/default",
|
||||
pod: newSeccompPod(nil, nil, "", "runtime/default"),
|
||||
expectedProfile: "runtime/default",
|
||||
expectedProfile: v1.SeccompProfileTypeRuntimeDefault,
|
||||
},
|
||||
{
|
||||
description: "seccomp field defined at pod level should not be honoured",
|
||||
pod: newSeccompPod(&v1.SeccompProfile{Type: v1.SeccompProfileTypeUnconfined}, nil, "", ""),
|
||||
expectedProfile: "runtime/default",
|
||||
expectedProfile: v1.SeccompProfileTypeRuntimeDefault,
|
||||
},
|
||||
{
|
||||
description: "seccomp field defined at container level should not be honoured",
|
||||
pod: newSeccompPod(nil, &v1.SeccompProfile{Type: v1.SeccompProfileTypeUnconfined}, "", ""),
|
||||
expectedProfile: "runtime/default",
|
||||
expectedProfile: v1.SeccompProfileTypeRuntimeDefault,
|
||||
},
|
||||
{
|
||||
description: "seccomp annotation defined at pod level should not be honoured",
|
||||
pod: newSeccompPod(nil, nil, "unconfined", ""),
|
||||
expectedProfile: "runtime/default",
|
||||
expectedProfile: v1.SeccompProfileTypeRuntimeDefault,
|
||||
},
|
||||
{
|
||||
description: "seccomp annotation defined at container level should not be honoured",
|
||||
pod: newSeccompPod(nil, nil, "", "unconfined"),
|
||||
expectedProfile: "runtime/default",
|
||||
expectedProfile: v1.SeccompProfileTypeRuntimeDefault,
|
||||
},
|
||||
}
|
||||
|
||||
for i, test := range tests {
|
||||
config, _ := m.generatePodSandboxLinuxConfig(test.pod)
|
||||
actualProfile := config.SecurityContext.SeccompProfilePath
|
||||
assert.Equal(t, test.expectedProfile, actualProfile, "TestCase[%d]: %s", i, test.description)
|
||||
actualProfile := config.SecurityContext.Seccomp.ProfileType.String()
|
||||
assert.EqualValues(t, test.expectedProfile, actualProfile, "TestCase[%d]: %s", i, test.description)
|
||||
}
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user