github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-25 12:43:23 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #115898 from saschagrunert/seccomp-todo

Browse Source 
Default to sandbox `Seccomp` field instead of `SeccompProfilePath`
This commit is contained in:
Kubernetes Prow Robot 2023-03-09 22:43:05 -08:00 committed by GitHub
commit 0018c07050
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 8 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
pkg/kubelet/kuberuntime/kuberuntime_sandbox.go
View File

@ -168,11 +168,8 @@ func (m *kubeGenericRuntimeManager) generatePodSandboxLinuxConfig(pod *v1.Pod) (
SecurityContext: &runtimeapi.LinuxSandboxSecurityContext{ SecurityContext: &runtimeapi.LinuxSandboxSecurityContext{
Privileged: kubecontainer.HasPrivilegedContainer(pod), Privileged: kubecontainer.HasPrivilegedContainer(pod),
// TODO: Deprecated, remove after we switch to Seccomp field
// Forcing sandbox to run as `runtime/default` allow users to // Forcing sandbox to run as `runtime/default` allow users to
// use least privileged seccomp profiles at pod level. Issue #84623 // use least privileged seccomp profiles at pod level. Issue #84623
SeccompProfilePath: v1.SeccompProfileRuntimeDefault,
Seccomp: &runtimeapi.SecurityProfile{ Seccomp: &runtimeapi.SecurityProfile{
ProfileType: runtimeapi.SecurityProfile_RuntimeDefault, ProfileType: runtimeapi.SecurityProfile_RuntimeDefault,
}, },

16
pkg/kubelet/kuberuntime/kuberuntime_sandbox_test.go
View File

@ -67,39 +67,39 @@ func TestGeneratePodSandboxLinuxConfigSeccomp(t *testing.T) {
tests := []struct { tests := []struct {
description string description string
pod *v1.Pod pod *v1.Pod
expectedProfile string expectedProfile v1.SeccompProfileType
}{ }{
{ {
description: "no seccomp defined at pod level should return runtime/default", description: "no seccomp defined at pod level should return runtime/default",
pod: newSeccompPod(nil, nil, "", "runtime/default"), pod: newSeccompPod(nil, nil, "", "runtime/default"),
expectedProfile: "runtime/default", expectedProfile: v1.SeccompProfileTypeRuntimeDefault,
}, },
{ {
description: "seccomp field defined at pod level should not be honoured", description: "seccomp field defined at pod level should not be honoured",
pod: newSeccompPod(&v1.SeccompProfile{Type: v1.SeccompProfileTypeUnconfined}, nil, "", ""), pod: newSeccompPod(&v1.SeccompProfile{Type: v1.SeccompProfileTypeUnconfined}, nil, "", ""),
expectedProfile: "runtime/default", expectedProfile: v1.SeccompProfileTypeRuntimeDefault,
}, },
{ {
description: "seccomp field defined at container level should not be honoured", description: "seccomp field defined at container level should not be honoured",
pod: newSeccompPod(nil, &v1.SeccompProfile{Type: v1.SeccompProfileTypeUnconfined}, "", ""), pod: newSeccompPod(nil, &v1.SeccompProfile{Type: v1.SeccompProfileTypeUnconfined}, "", ""),
expectedProfile: "runtime/default", expectedProfile: v1.SeccompProfileTypeRuntimeDefault,
}, },
{ {
description: "seccomp annotation defined at pod level should not be honoured", description: "seccomp annotation defined at pod level should not be honoured",
pod: newSeccompPod(nil, nil, "unconfined", ""), pod: newSeccompPod(nil, nil, "unconfined", ""),
expectedProfile: "runtime/default", expectedProfile: v1.SeccompProfileTypeRuntimeDefault,
}, },
{ {
description: "seccomp annotation defined at container level should not be honoured", description: "seccomp annotation defined at container level should not be honoured",
pod: newSeccompPod(nil, nil, "", "unconfined"), pod: newSeccompPod(nil, nil, "", "unconfined"),
expectedProfile: "runtime/default", expectedProfile: v1.SeccompProfileTypeRuntimeDefault,
}, },
} }
for i, test := range tests { for i, test := range tests {
config, _ := m.generatePodSandboxLinuxConfig(test.pod) config, _ := m.generatePodSandboxLinuxConfig(test.pod)
actualProfile := config.SecurityContext.SeccompProfilePath actualProfile := config.SecurityContext.Seccomp.ProfileType.String()
assert.Equal(t, test.expectedProfile, actualProfile, "TestCase[%d]: %s", i, test.description) assert.EqualValues(t, test.expectedProfile, actualProfile, "TestCase[%d]: %s", i, test.description)
} }
} }