From 58923c9f1adac7722314da7552d23d5c4132d0a3 Mon Sep 17 00:00:00 2001 From: Sascha Grunert Date: Mon, 20 Feb 2023 10:48:23 +0100 Subject: [PATCH] Default to sandbox `Seccomp` field instead of `SeccompProfilePath` The seccomp field is the new default since a couple of releases, means we can stop using `SeccompProfilePath`. Follow-up on https://github.com/kubernetes/kubernetes/pull/96281 Signed-off-by: Sascha Grunert --- pkg/kubelet/kuberuntime/kuberuntime_sandbox.go | 3 --- .../kuberuntime/kuberuntime_sandbox_test.go | 16 ++++++++-------- 2 files changed, 8 insertions(+), 11 deletions(-) diff --git a/pkg/kubelet/kuberuntime/kuberuntime_sandbox.go b/pkg/kubelet/kuberuntime/kuberuntime_sandbox.go index b821c1d6080..a22a362dbd3 100644 --- a/pkg/kubelet/kuberuntime/kuberuntime_sandbox.go +++ b/pkg/kubelet/kuberuntime/kuberuntime_sandbox.go @@ -168,11 +168,8 @@ func (m *kubeGenericRuntimeManager) generatePodSandboxLinuxConfig(pod *v1.Pod) ( SecurityContext: &runtimeapi.LinuxSandboxSecurityContext{ Privileged: kubecontainer.HasPrivilegedContainer(pod), - // TODO: Deprecated, remove after we switch to Seccomp field // Forcing sandbox to run as `runtime/default` allow users to // use least privileged seccomp profiles at pod level. Issue #84623 - SeccompProfilePath: v1.SeccompProfileRuntimeDefault, - Seccomp: &runtimeapi.SecurityProfile{ ProfileType: runtimeapi.SecurityProfile_RuntimeDefault, }, diff --git a/pkg/kubelet/kuberuntime/kuberuntime_sandbox_test.go b/pkg/kubelet/kuberuntime/kuberuntime_sandbox_test.go index 931733f2b08..09feac6e291 100644 --- a/pkg/kubelet/kuberuntime/kuberuntime_sandbox_test.go +++ b/pkg/kubelet/kuberuntime/kuberuntime_sandbox_test.go @@ -67,39 +67,39 @@ func TestGeneratePodSandboxLinuxConfigSeccomp(t *testing.T) { tests := []struct { description string pod *v1.Pod - expectedProfile string + expectedProfile v1.SeccompProfileType }{ { description: "no seccomp defined at pod level should return runtime/default", pod: newSeccompPod(nil, nil, "", "runtime/default"), - expectedProfile: "runtime/default", + expectedProfile: v1.SeccompProfileTypeRuntimeDefault, }, { description: "seccomp field defined at pod level should not be honoured", pod: newSeccompPod(&v1.SeccompProfile{Type: v1.SeccompProfileTypeUnconfined}, nil, "", ""), - expectedProfile: "runtime/default", + expectedProfile: v1.SeccompProfileTypeRuntimeDefault, }, { description: "seccomp field defined at container level should not be honoured", pod: newSeccompPod(nil, &v1.SeccompProfile{Type: v1.SeccompProfileTypeUnconfined}, "", ""), - expectedProfile: "runtime/default", + expectedProfile: v1.SeccompProfileTypeRuntimeDefault, }, { description: "seccomp annotation defined at pod level should not be honoured", pod: newSeccompPod(nil, nil, "unconfined", ""), - expectedProfile: "runtime/default", + expectedProfile: v1.SeccompProfileTypeRuntimeDefault, }, { description: "seccomp annotation defined at container level should not be honoured", pod: newSeccompPod(nil, nil, "", "unconfined"), - expectedProfile: "runtime/default", + expectedProfile: v1.SeccompProfileTypeRuntimeDefault, }, } for i, test := range tests { config, _ := m.generatePodSandboxLinuxConfig(test.pod) - actualProfile := config.SecurityContext.SeccompProfilePath - assert.Equal(t, test.expectedProfile, actualProfile, "TestCase[%d]: %s", i, test.description) + actualProfile := config.SecurityContext.Seccomp.ProfileType.String() + assert.EqualValues(t, test.expectedProfile, actualProfile, "TestCase[%d]: %s", i, test.description) } }