Merge pull request #103941 from saschagrunert/seccomp-profile-root

Remove deprecated `--seccomp-profile-root`/`seccompProfileRoot` config
2025-07-29 22:46:12 +00:00 · 2021-09-02 08:52:57 -07:00 · 2021-09-02 08:52:57 -07:00 · 0b4a793da2
commit 0b4a793da2
parent 033456a2b2 46077e6be7
6 changed files with 37 additions and 40 deletions
--- a/cmd/kubelet/app/options/options.go
+++ b/cmd/kubelet/app/options/options.go
@ -20,7 +20,6 @@ package options
 import (
 	"fmt"
 	_ "net/http/pprof" // Enable pprof HTTP handlers.
-	"path/filepath"
 	"runtime"
 	"strings"

@ -141,9 +140,6 @@ type KubeletFlags struct {
 	// This will cause the kubelet to listen to inotify events on the lock file,
 	// releasing it and exiting when another process tries to open that file.
 	ExitOnLockContention bool
-	// seccompProfileRoot is the directory path for seccomp profiles.
-	SeccompProfileRoot string
-
 	// DEPRECATED FLAGS
 	// minimumGCAge is the minimum age for a finished container before it is
 	// garbage collected.
@ -193,7 +189,6 @@ func NewKubeletFlags() *KubeletFlags {
 		RemoteRuntimeEndpoint:   remoteRuntimeEndpoint,
 		NodeLabels:              make(map[string]string),
 		RegisterNode:            true,
-		SeccompProfileRoot:      filepath.Join(defaultRootDir, "seccomp"),
 	}
 }

@ -375,8 +370,6 @@ func (f *KubeletFlags) AddFlags(mainfs *pflag.FlagSet) {
 	fs.MarkDeprecated("keep-terminated-pod-volumes", "will be removed in a future version")
 	fs.BoolVar(&f.ReallyCrashForTesting, "really-crash-for-testing", f.ReallyCrashForTesting, "If true, when panics occur crash. Intended for testing.")
 	fs.MarkDeprecated("really-crash-for-testing", "will be removed in a future version.")
-	fs.StringVar(&f.SeccompProfileRoot, "seccomp-profile-root", f.SeccompProfileRoot, "<Warning: Alpha feature> Directory path for seccomp profiles.")
-	fs.MarkDeprecated("seccomp-profile-root", "will be removed in 1.23, in favor of using the `<root-dir>/seccomp` directory")
 	fs.StringVar(&f.ExperimentalMounterPath, "experimental-mounter-path", f.ExperimentalMounterPath, "[Experimental] Path of mounter binary. Leave empty to use the default mount.")
 	fs.MarkDeprecated("experimental-mounter-path", "will be removed in 1.23. in favor of using CSI.")
 	fs.BoolVar(&f.ExperimentalCheckNodeCapabilitiesBeforeMount, "experimental-check-node-capabilities-before-mount", f.ExperimentalCheckNodeCapabilitiesBeforeMount, "[Experimental] if set true, the kubelet will check the underlying node for required components (binaries, etc.) before performing the mount")
--- a/cmd/kubelet/app/server.go
+++ b/cmd/kubelet/app/server.go
@ -1183,7 +1183,6 @@ func RunKubelet(kubeServer *options.KubeletServer, kubeDeps *kubelet.Dependencie
 		kubeServer.RegisterSchedulable,
 		kubeServer.KeepTerminatedPodVolumes,
 		kubeServer.NodeLabels,
-		kubeServer.SeccompProfileRoot,
 		kubeServer.NodeStatusMaxImages,
 		kubeServer.KubeletFlags.SeccompDefault || kubeServer.KubeletConfiguration.SeccompDefault,
 	)
@ -1259,7 +1258,6 @@ func createAndInitKubelet(kubeCfg *kubeletconfiginternal.KubeletConfiguration,
 	registerSchedulable bool,
 	keepTerminatedPodVolumes bool,
 	nodeLabels map[string]string,
-	seccompProfileRoot string,
 	nodeStatusMaxImages int32,
 	seccompDefault bool,
 ) (k kubelet.Bootstrap, err error) {
@ -1294,7 +1292,6 @@ func createAndInitKubelet(kubeCfg *kubeletconfiginternal.KubeletConfiguration,
 		registerSchedulable,
 		keepTerminatedPodVolumes,
 		nodeLabels,
-		seccompProfileRoot,
 		nodeStatusMaxImages,
 		seccompDefault,
 	)
--- a/pkg/kubelet/kubelet.go
+++ b/pkg/kubelet/kubelet.go
@ -374,7 +374,6 @@ func NewMainKubelet(kubeCfg *kubeletconfiginternal.KubeletConfiguration,
 	registerSchedulable bool,
 	keepTerminatedPodVolumes bool,
 	nodeLabels map[string]string,
-	seccompProfileRoot string,
 	nodeStatusMaxImages int32,
 	seccompDefault bool,
 ) (*Kubelet, error) {
@ -665,7 +664,7 @@ func NewMainKubelet(kubeCfg *kubeletconfiginternal.KubeletConfiguration,
 		klet.livenessManager,
 		klet.readinessManager,
 		klet.startupManager,
-		seccompProfileRoot,
+		rootDirectory,
 		machineInfo,
 		klet.podWorkers,
 		kubeDeps.OSInterface,
--- a/pkg/kubelet/kuberuntime/helpers_test.go
+++ b/pkg/kubelet/kuberuntime/helpers_test.go
@ -31,6 +31,14 @@ import (
 	utilpointer "k8s.io/utils/pointer"
 )

+func seccompLocalhostRef(profileName string) string {
+	return filepath.Join(fakeSeccompProfileRoot, profileName)
+}
+
+func seccompLocalhostPath(profileName string) string {
+	return "localhost/" + seccompLocalhostRef(profileName)
+}
+
 func TestStableKey(t *testing.T) {
 	container := &v1.Container{
 		Name:  "test_container",
@ -353,7 +361,7 @@ func TestGetSeccompProfilePath(t *testing.T) {
 			annotation: map[string]string{
 				v1.SeccompPodAnnotationKey: "localhost/chmod.json",
 			},
-			expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "chmod.json"),
+			expectedProfile: seccompLocalhostPath("chmod.json"),
 		},
 		{
 			description: "annotations: pod localhost seccomp profile with containerName should return local profile path",
@ -361,7 +369,7 @@ func TestGetSeccompProfilePath(t *testing.T) {
 				v1.SeccompPodAnnotationKey: "localhost/chmod.json",
 			},
 			containerName:   "container1",
-			expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "chmod.json"),
+			expectedProfile: seccompLocalhostPath("chmod.json"),
 		},
 		{
 			description: "annotations: container localhost seccomp profile with containerName should return local profile path",
@ -369,7 +377,7 @@ func TestGetSeccompProfilePath(t *testing.T) {
 				v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/chmod.json",
 			},
 			containerName:   "container1",
-			expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "chmod.json"),
+			expectedProfile: seccompLocalhostPath("chmod.json"),
 		},
 		{
 			description: "annotations: container localhost seccomp profile should override pod profile",
@ -378,7 +386,7 @@ func TestGetSeccompProfilePath(t *testing.T) {
 				v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/chmod.json",
 			},
 			containerName:   "container1",
-			expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "chmod.json"),
+			expectedProfile: seccompLocalhostPath("chmod.json"),
 		},
 		{
 			description: "annotations: container localhost seccomp profile with unmatched containerName should return empty",
@ -411,7 +419,7 @@ func TestGetSeccompProfilePath(t *testing.T) {
 		{
 			description:     "pod seccomp profile set to SeccompProfileTypeLocalhost returns 'localhost/' + LocalhostProfile",
 			podSc:           &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost, LocalhostProfile: getLocal("filename")}},
-			expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "filename"),
+			expectedProfile: seccompLocalhostPath("filename"),
 		},
 		{
 			description:     "pod seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns empty",
@ -426,7 +434,7 @@ func TestGetSeccompProfilePath(t *testing.T) {
 		{
 			description:     "container seccomp profile set to SeccompProfileTypeLocalhost returns 'localhost/' + LocalhostProfile",
 			containerSc:     &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost, LocalhostProfile: getLocal("filename2")}},
-			expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "filename2"),
+			expectedProfile: seccompLocalhostPath("filename2"),
 		},
 		{
 			description:     "prioritise container field over pod field",
@ -443,7 +451,7 @@ func TestGetSeccompProfilePath(t *testing.T) {
 				v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/annota-cont-profile.json",
 			},
 			containerName:   "container1",
-			expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "field-cont-profile.json"),
+			expectedProfile: seccompLocalhostPath("field-cont-profile.json"),
 		},
 		{
 			description: "prioritise container annotation over pod field",
@ -453,7 +461,7 @@ func TestGetSeccompProfilePath(t *testing.T) {
 				v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/annota-cont-profile.json",
 			},
 			containerName:   "container1",
-			expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "annota-cont-profile.json"),
+			expectedProfile: seccompLocalhostPath("annota-cont-profile.json"),
 		},
 		{
 			description: "prioritise pod field over pod annotation",
@ -462,7 +470,7 @@ func TestGetSeccompProfilePath(t *testing.T) {
 				v1.SeccompPodAnnotationKey: "localhost/annota-pod-profile.json",
 			},
 			containerName:   "container1",
-			expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "field-pod-profile.json"),
+			expectedProfile: seccompLocalhostPath("field-pod-profile.json"),
 		},
 	}

@ -543,7 +551,7 @@ func TestGetSeccompProfilePathDefaultSeccomp(t *testing.T) {
 			annotation: map[string]string{
 				v1.SeccompPodAnnotationKey: "localhost/chmod.json",
 			},
-			expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "chmod.json"),
+			expectedProfile: seccompLocalhostPath("chmod.json"),
 		},
 		{
 			description: "annotations: pod localhost seccomp profile with containerName should return local profile path",
@ -551,7 +559,7 @@ func TestGetSeccompProfilePathDefaultSeccomp(t *testing.T) {
 				v1.SeccompPodAnnotationKey: "localhost/chmod.json",
 			},
 			containerName:   "container1",
-			expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "chmod.json"),
+			expectedProfile: seccompLocalhostPath("chmod.json"),
 		},
 		{
 			description: "annotations: container localhost seccomp profile with containerName should return local profile path",
@ -559,7 +567,7 @@ func TestGetSeccompProfilePathDefaultSeccomp(t *testing.T) {
 				v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/chmod.json",
 			},
 			containerName:   "container1",
-			expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "chmod.json"),
+			expectedProfile: seccompLocalhostPath("chmod.json"),
 		},
 		{
 			description: "annotations: container localhost seccomp profile should override pod profile",
@ -568,7 +576,7 @@ func TestGetSeccompProfilePathDefaultSeccomp(t *testing.T) {
 				v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/chmod.json",
 			},
 			containerName:   "container1",
-			expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "chmod.json"),
+			expectedProfile: seccompLocalhostPath("chmod.json"),
 		},
 		{
 			description: "annotations: container localhost seccomp profile with unmatched containerName should return runtime/default",
@ -601,7 +609,7 @@ func TestGetSeccompProfilePathDefaultSeccomp(t *testing.T) {
 		{
 			description:     "pod seccomp profile set to SeccompProfileTypeLocalhost returns 'localhost/' + LocalhostProfile",
 			podSc:           &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost, LocalhostProfile: getLocal("filename")}},
-			expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "filename"),
+			expectedProfile: seccompLocalhostPath("filename"),
 		},
 		{
 			description:     "pod seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns runtime/default",
@ -616,7 +624,7 @@ func TestGetSeccompProfilePathDefaultSeccomp(t *testing.T) {
 		{
 			description:     "container seccomp profile set to SeccompProfileTypeLocalhost returns 'localhost/' + LocalhostProfile",
 			containerSc:     &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost, LocalhostProfile: getLocal("filename2")}},
-			expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "filename2"),
+			expectedProfile: seccompLocalhostPath("filename2"),
 		},
 		{
 			description:     "prioritise container field over pod field",
@ -633,7 +641,7 @@ func TestGetSeccompProfilePathDefaultSeccomp(t *testing.T) {
 				v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/annota-cont-profile.json",
 			},
 			containerName:   "container1",
-			expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "field-cont-profile.json"),
+			expectedProfile: seccompLocalhostPath("field-cont-profile.json"),
 		},
 		{
 			description: "prioritise container annotation over pod field",
@ -643,7 +651,7 @@ func TestGetSeccompProfilePathDefaultSeccomp(t *testing.T) {
 				v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/annota-cont-profile.json",
 			},
 			containerName:   "container1",
-			expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "annota-cont-profile.json"),
+			expectedProfile: seccompLocalhostPath("annota-cont-profile.json"),
 		},
 		{
 			description: "prioritise pod field over pod annotation",
@ -652,7 +660,7 @@ func TestGetSeccompProfilePathDefaultSeccomp(t *testing.T) {
 				v1.SeccompPodAnnotationKey: "localhost/annota-pod-profile.json",
 			},
 			containerName:   "container1",
-			expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "field-pod-profile.json"),
+			expectedProfile: seccompLocalhostPath("field-pod-profile.json"),
 		},
 	}

@ -711,7 +719,7 @@ func TestGetSeccompProfile(t *testing.T) {
 			podSc:       &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost, LocalhostProfile: getLocal("filename")}},
 			expectedProfile: &runtimeapi.SecurityProfile{
 				ProfileType:  runtimeapi.SecurityProfile_Localhost,
-				LocalhostRef: filepath.Join(fakeSeccompProfileRoot, "filename"),
+				LocalhostRef: seccompLocalhostRef("filename"),
 			},
 		},
 		{
@ -729,7 +737,7 @@ func TestGetSeccompProfile(t *testing.T) {
 			containerSc: &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost, LocalhostProfile: getLocal("filename2")}},
 			expectedProfile: &runtimeapi.SecurityProfile{
 				ProfileType:  runtimeapi.SecurityProfile_Localhost,
-				LocalhostRef: filepath.Join(fakeSeccompProfileRoot, "filename2"),
+				LocalhostRef: seccompLocalhostRef("filename2"),
 			},
 		},
 		{
@ -745,7 +753,7 @@ func TestGetSeccompProfile(t *testing.T) {
 			containerName: "container1",
 			expectedProfile: &runtimeapi.SecurityProfile{
 				ProfileType:  runtimeapi.SecurityProfile_Localhost,
-				LocalhostRef: filepath.Join(fakeSeccompProfileRoot, "field-cont-profile.json"),
+				LocalhostRef: seccompLocalhostRef("field-cont-profile.json"),
 			},
 		},
 	}
@ -805,7 +813,7 @@ func TestGetSeccompProfileDefaultSeccomp(t *testing.T) {
 			podSc:       &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost, LocalhostProfile: getLocal("filename")}},
 			expectedProfile: &runtimeapi.SecurityProfile{
 				ProfileType:  runtimeapi.SecurityProfile_Localhost,
-				LocalhostRef: filepath.Join(fakeSeccompProfileRoot, "filename"),
+				LocalhostRef: seccompLocalhostRef("filename"),
 			},
 		},
 		{
@ -823,7 +831,7 @@ func TestGetSeccompProfileDefaultSeccomp(t *testing.T) {
 			containerSc: &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost, LocalhostProfile: getLocal("filename2")}},
 			expectedProfile: &runtimeapi.SecurityProfile{
 				ProfileType:  runtimeapi.SecurityProfile_Localhost,
-				LocalhostRef: filepath.Join(fakeSeccompProfileRoot, "filename2"),
+				LocalhostRef: seccompLocalhostRef("filename2"),
 			},
 		},
 		{
@ -839,7 +847,7 @@ func TestGetSeccompProfileDefaultSeccomp(t *testing.T) {
 			containerName: "container1",
 			expectedProfile: &runtimeapi.SecurityProfile{
 				ProfileType:  runtimeapi.SecurityProfile_Localhost,
-				LocalhostRef: filepath.Join(fakeSeccompProfileRoot, "field-cont-profile.json"),
+				LocalhostRef: seccompLocalhostRef("field-cont-profile.json"),
 			},
 		},
 	}
--- a/pkg/kubelet/kuberuntime/kuberuntime_manager.go
+++ b/pkg/kubelet/kuberuntime/kuberuntime_manager.go
@ -20,6 +20,7 @@ import (
 	"errors"
 	"fmt"
 	"os"
+	"path/filepath"
 	goruntime "runtime"
 	"time"

@ -177,7 +178,7 @@ func NewKubeGenericRuntimeManager(
 	livenessManager proberesults.Manager,
 	readinessManager proberesults.Manager,
 	startupManager proberesults.Manager,
-	seccompProfileRoot string,
+	rootDirectory string,
 	machineInfo *cadvisorapi.MachineInfo,
 	podStateProvider podStateProvider,
 	osInterface kubecontainer.OSInterface,
@ -206,7 +207,7 @@ func NewKubeGenericRuntimeManager(
 		recorder:               recorder,
 		cpuCFSQuota:            cpuCFSQuota,
 		cpuCFSQuotaPeriod:      cpuCFSQuotaPeriod,
-		seccompProfileRoot:     seccompProfileRoot,
+		seccompProfileRoot:     filepath.Join(rootDirectory, "seccomp"),
 		livenessManager:        livenessManager,
 		readinessManager:       readinessManager,
 		startupManager:         startupManager,
--- a/staging/src/k8s.io/api/core/v1/types.go
+++ b/staging/src/k8s.io/api/core/v1/types.go
@ -3384,8 +3384,7 @@ const (
 	// SeccompProfileTypeRuntimeDefault represents the default container runtime seccomp profile.
 	SeccompProfileTypeRuntimeDefault SeccompProfileType = "RuntimeDefault"
 	// SeccompProfileTypeLocalhost indicates a profile defined in a file on the node should be used.
-	// The file's location is based off the kubelet's deprecated flag --seccomp-profile-root.
-	// Once the flag support is removed the location will be <kubelet-root-dir>/seccomp.
+	// The file's location relative to <kubelet-root-dir>/seccomp.
 	SeccompProfileTypeLocalhost SeccompProfileType = "Localhost"
 )