mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-23 11:50:44 +00:00
Merge pull request #103941 from saschagrunert/seccomp-profile-root
Remove deprecated `--seccomp-profile-root`/`seccompProfileRoot` config
This commit is contained in:
commit
0b4a793da2
@ -20,7 +20,6 @@ package options
|
||||
import (
|
||||
"fmt"
|
||||
_ "net/http/pprof" // Enable pprof HTTP handlers.
|
||||
"path/filepath"
|
||||
"runtime"
|
||||
"strings"
|
||||
|
||||
@ -141,9 +140,6 @@ type KubeletFlags struct {
|
||||
// This will cause the kubelet to listen to inotify events on the lock file,
|
||||
// releasing it and exiting when another process tries to open that file.
|
||||
ExitOnLockContention bool
|
||||
// seccompProfileRoot is the directory path for seccomp profiles.
|
||||
SeccompProfileRoot string
|
||||
|
||||
// DEPRECATED FLAGS
|
||||
// minimumGCAge is the minimum age for a finished container before it is
|
||||
// garbage collected.
|
||||
@ -193,7 +189,6 @@ func NewKubeletFlags() *KubeletFlags {
|
||||
RemoteRuntimeEndpoint: remoteRuntimeEndpoint,
|
||||
NodeLabels: make(map[string]string),
|
||||
RegisterNode: true,
|
||||
SeccompProfileRoot: filepath.Join(defaultRootDir, "seccomp"),
|
||||
}
|
||||
}
|
||||
|
||||
@ -375,8 +370,6 @@ func (f *KubeletFlags) AddFlags(mainfs *pflag.FlagSet) {
|
||||
fs.MarkDeprecated("keep-terminated-pod-volumes", "will be removed in a future version")
|
||||
fs.BoolVar(&f.ReallyCrashForTesting, "really-crash-for-testing", f.ReallyCrashForTesting, "If true, when panics occur crash. Intended for testing.")
|
||||
fs.MarkDeprecated("really-crash-for-testing", "will be removed in a future version.")
|
||||
fs.StringVar(&f.SeccompProfileRoot, "seccomp-profile-root", f.SeccompProfileRoot, "<Warning: Alpha feature> Directory path for seccomp profiles.")
|
||||
fs.MarkDeprecated("seccomp-profile-root", "will be removed in 1.23, in favor of using the `<root-dir>/seccomp` directory")
|
||||
fs.StringVar(&f.ExperimentalMounterPath, "experimental-mounter-path", f.ExperimentalMounterPath, "[Experimental] Path of mounter binary. Leave empty to use the default mount.")
|
||||
fs.MarkDeprecated("experimental-mounter-path", "will be removed in 1.23. in favor of using CSI.")
|
||||
fs.BoolVar(&f.ExperimentalCheckNodeCapabilitiesBeforeMount, "experimental-check-node-capabilities-before-mount", f.ExperimentalCheckNodeCapabilitiesBeforeMount, "[Experimental] if set true, the kubelet will check the underlying node for required components (binaries, etc.) before performing the mount")
|
||||
|
@ -1183,7 +1183,6 @@ func RunKubelet(kubeServer *options.KubeletServer, kubeDeps *kubelet.Dependencie
|
||||
kubeServer.RegisterSchedulable,
|
||||
kubeServer.KeepTerminatedPodVolumes,
|
||||
kubeServer.NodeLabels,
|
||||
kubeServer.SeccompProfileRoot,
|
||||
kubeServer.NodeStatusMaxImages,
|
||||
kubeServer.KubeletFlags.SeccompDefault || kubeServer.KubeletConfiguration.SeccompDefault,
|
||||
)
|
||||
@ -1259,7 +1258,6 @@ func createAndInitKubelet(kubeCfg *kubeletconfiginternal.KubeletConfiguration,
|
||||
registerSchedulable bool,
|
||||
keepTerminatedPodVolumes bool,
|
||||
nodeLabels map[string]string,
|
||||
seccompProfileRoot string,
|
||||
nodeStatusMaxImages int32,
|
||||
seccompDefault bool,
|
||||
) (k kubelet.Bootstrap, err error) {
|
||||
@ -1294,7 +1292,6 @@ func createAndInitKubelet(kubeCfg *kubeletconfiginternal.KubeletConfiguration,
|
||||
registerSchedulable,
|
||||
keepTerminatedPodVolumes,
|
||||
nodeLabels,
|
||||
seccompProfileRoot,
|
||||
nodeStatusMaxImages,
|
||||
seccompDefault,
|
||||
)
|
||||
|
@ -374,7 +374,6 @@ func NewMainKubelet(kubeCfg *kubeletconfiginternal.KubeletConfiguration,
|
||||
registerSchedulable bool,
|
||||
keepTerminatedPodVolumes bool,
|
||||
nodeLabels map[string]string,
|
||||
seccompProfileRoot string,
|
||||
nodeStatusMaxImages int32,
|
||||
seccompDefault bool,
|
||||
) (*Kubelet, error) {
|
||||
@ -665,7 +664,7 @@ func NewMainKubelet(kubeCfg *kubeletconfiginternal.KubeletConfiguration,
|
||||
klet.livenessManager,
|
||||
klet.readinessManager,
|
||||
klet.startupManager,
|
||||
seccompProfileRoot,
|
||||
rootDirectory,
|
||||
machineInfo,
|
||||
klet.podWorkers,
|
||||
kubeDeps.OSInterface,
|
||||
|
@ -31,6 +31,14 @@ import (
|
||||
utilpointer "k8s.io/utils/pointer"
|
||||
)
|
||||
|
||||
func seccompLocalhostRef(profileName string) string {
|
||||
return filepath.Join(fakeSeccompProfileRoot, profileName)
|
||||
}
|
||||
|
||||
func seccompLocalhostPath(profileName string) string {
|
||||
return "localhost/" + seccompLocalhostRef(profileName)
|
||||
}
|
||||
|
||||
func TestStableKey(t *testing.T) {
|
||||
container := &v1.Container{
|
||||
Name: "test_container",
|
||||
@ -353,7 +361,7 @@ func TestGetSeccompProfilePath(t *testing.T) {
|
||||
annotation: map[string]string{
|
||||
v1.SeccompPodAnnotationKey: "localhost/chmod.json",
|
||||
},
|
||||
expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "chmod.json"),
|
||||
expectedProfile: seccompLocalhostPath("chmod.json"),
|
||||
},
|
||||
{
|
||||
description: "annotations: pod localhost seccomp profile with containerName should return local profile path",
|
||||
@ -361,7 +369,7 @@ func TestGetSeccompProfilePath(t *testing.T) {
|
||||
v1.SeccompPodAnnotationKey: "localhost/chmod.json",
|
||||
},
|
||||
containerName: "container1",
|
||||
expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "chmod.json"),
|
||||
expectedProfile: seccompLocalhostPath("chmod.json"),
|
||||
},
|
||||
{
|
||||
description: "annotations: container localhost seccomp profile with containerName should return local profile path",
|
||||
@ -369,7 +377,7 @@ func TestGetSeccompProfilePath(t *testing.T) {
|
||||
v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/chmod.json",
|
||||
},
|
||||
containerName: "container1",
|
||||
expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "chmod.json"),
|
||||
expectedProfile: seccompLocalhostPath("chmod.json"),
|
||||
},
|
||||
{
|
||||
description: "annotations: container localhost seccomp profile should override pod profile",
|
||||
@ -378,7 +386,7 @@ func TestGetSeccompProfilePath(t *testing.T) {
|
||||
v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/chmod.json",
|
||||
},
|
||||
containerName: "container1",
|
||||
expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "chmod.json"),
|
||||
expectedProfile: seccompLocalhostPath("chmod.json"),
|
||||
},
|
||||
{
|
||||
description: "annotations: container localhost seccomp profile with unmatched containerName should return empty",
|
||||
@ -411,7 +419,7 @@ func TestGetSeccompProfilePath(t *testing.T) {
|
||||
{
|
||||
description: "pod seccomp profile set to SeccompProfileTypeLocalhost returns 'localhost/' + LocalhostProfile",
|
||||
podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost, LocalhostProfile: getLocal("filename")}},
|
||||
expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "filename"),
|
||||
expectedProfile: seccompLocalhostPath("filename"),
|
||||
},
|
||||
{
|
||||
description: "pod seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns empty",
|
||||
@ -426,7 +434,7 @@ func TestGetSeccompProfilePath(t *testing.T) {
|
||||
{
|
||||
description: "container seccomp profile set to SeccompProfileTypeLocalhost returns 'localhost/' + LocalhostProfile",
|
||||
containerSc: &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost, LocalhostProfile: getLocal("filename2")}},
|
||||
expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "filename2"),
|
||||
expectedProfile: seccompLocalhostPath("filename2"),
|
||||
},
|
||||
{
|
||||
description: "prioritise container field over pod field",
|
||||
@ -443,7 +451,7 @@ func TestGetSeccompProfilePath(t *testing.T) {
|
||||
v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/annota-cont-profile.json",
|
||||
},
|
||||
containerName: "container1",
|
||||
expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "field-cont-profile.json"),
|
||||
expectedProfile: seccompLocalhostPath("field-cont-profile.json"),
|
||||
},
|
||||
{
|
||||
description: "prioritise container annotation over pod field",
|
||||
@ -453,7 +461,7 @@ func TestGetSeccompProfilePath(t *testing.T) {
|
||||
v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/annota-cont-profile.json",
|
||||
},
|
||||
containerName: "container1",
|
||||
expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "annota-cont-profile.json"),
|
||||
expectedProfile: seccompLocalhostPath("annota-cont-profile.json"),
|
||||
},
|
||||
{
|
||||
description: "prioritise pod field over pod annotation",
|
||||
@ -462,7 +470,7 @@ func TestGetSeccompProfilePath(t *testing.T) {
|
||||
v1.SeccompPodAnnotationKey: "localhost/annota-pod-profile.json",
|
||||
},
|
||||
containerName: "container1",
|
||||
expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "field-pod-profile.json"),
|
||||
expectedProfile: seccompLocalhostPath("field-pod-profile.json"),
|
||||
},
|
||||
}
|
||||
|
||||
@ -543,7 +551,7 @@ func TestGetSeccompProfilePathDefaultSeccomp(t *testing.T) {
|
||||
annotation: map[string]string{
|
||||
v1.SeccompPodAnnotationKey: "localhost/chmod.json",
|
||||
},
|
||||
expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "chmod.json"),
|
||||
expectedProfile: seccompLocalhostPath("chmod.json"),
|
||||
},
|
||||
{
|
||||
description: "annotations: pod localhost seccomp profile with containerName should return local profile path",
|
||||
@ -551,7 +559,7 @@ func TestGetSeccompProfilePathDefaultSeccomp(t *testing.T) {
|
||||
v1.SeccompPodAnnotationKey: "localhost/chmod.json",
|
||||
},
|
||||
containerName: "container1",
|
||||
expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "chmod.json"),
|
||||
expectedProfile: seccompLocalhostPath("chmod.json"),
|
||||
},
|
||||
{
|
||||
description: "annotations: container localhost seccomp profile with containerName should return local profile path",
|
||||
@ -559,7 +567,7 @@ func TestGetSeccompProfilePathDefaultSeccomp(t *testing.T) {
|
||||
v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/chmod.json",
|
||||
},
|
||||
containerName: "container1",
|
||||
expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "chmod.json"),
|
||||
expectedProfile: seccompLocalhostPath("chmod.json"),
|
||||
},
|
||||
{
|
||||
description: "annotations: container localhost seccomp profile should override pod profile",
|
||||
@ -568,7 +576,7 @@ func TestGetSeccompProfilePathDefaultSeccomp(t *testing.T) {
|
||||
v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/chmod.json",
|
||||
},
|
||||
containerName: "container1",
|
||||
expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "chmod.json"),
|
||||
expectedProfile: seccompLocalhostPath("chmod.json"),
|
||||
},
|
||||
{
|
||||
description: "annotations: container localhost seccomp profile with unmatched containerName should return runtime/default",
|
||||
@ -601,7 +609,7 @@ func TestGetSeccompProfilePathDefaultSeccomp(t *testing.T) {
|
||||
{
|
||||
description: "pod seccomp profile set to SeccompProfileTypeLocalhost returns 'localhost/' + LocalhostProfile",
|
||||
podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost, LocalhostProfile: getLocal("filename")}},
|
||||
expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "filename"),
|
||||
expectedProfile: seccompLocalhostPath("filename"),
|
||||
},
|
||||
{
|
||||
description: "pod seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns runtime/default",
|
||||
@ -616,7 +624,7 @@ func TestGetSeccompProfilePathDefaultSeccomp(t *testing.T) {
|
||||
{
|
||||
description: "container seccomp profile set to SeccompProfileTypeLocalhost returns 'localhost/' + LocalhostProfile",
|
||||
containerSc: &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost, LocalhostProfile: getLocal("filename2")}},
|
||||
expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "filename2"),
|
||||
expectedProfile: seccompLocalhostPath("filename2"),
|
||||
},
|
||||
{
|
||||
description: "prioritise container field over pod field",
|
||||
@ -633,7 +641,7 @@ func TestGetSeccompProfilePathDefaultSeccomp(t *testing.T) {
|
||||
v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/annota-cont-profile.json",
|
||||
},
|
||||
containerName: "container1",
|
||||
expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "field-cont-profile.json"),
|
||||
expectedProfile: seccompLocalhostPath("field-cont-profile.json"),
|
||||
},
|
||||
{
|
||||
description: "prioritise container annotation over pod field",
|
||||
@ -643,7 +651,7 @@ func TestGetSeccompProfilePathDefaultSeccomp(t *testing.T) {
|
||||
v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/annota-cont-profile.json",
|
||||
},
|
||||
containerName: "container1",
|
||||
expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "annota-cont-profile.json"),
|
||||
expectedProfile: seccompLocalhostPath("annota-cont-profile.json"),
|
||||
},
|
||||
{
|
||||
description: "prioritise pod field over pod annotation",
|
||||
@ -652,7 +660,7 @@ func TestGetSeccompProfilePathDefaultSeccomp(t *testing.T) {
|
||||
v1.SeccompPodAnnotationKey: "localhost/annota-pod-profile.json",
|
||||
},
|
||||
containerName: "container1",
|
||||
expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "field-pod-profile.json"),
|
||||
expectedProfile: seccompLocalhostPath("field-pod-profile.json"),
|
||||
},
|
||||
}
|
||||
|
||||
@ -711,7 +719,7 @@ func TestGetSeccompProfile(t *testing.T) {
|
||||
podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost, LocalhostProfile: getLocal("filename")}},
|
||||
expectedProfile: &runtimeapi.SecurityProfile{
|
||||
ProfileType: runtimeapi.SecurityProfile_Localhost,
|
||||
LocalhostRef: filepath.Join(fakeSeccompProfileRoot, "filename"),
|
||||
LocalhostRef: seccompLocalhostRef("filename"),
|
||||
},
|
||||
},
|
||||
{
|
||||
@ -729,7 +737,7 @@ func TestGetSeccompProfile(t *testing.T) {
|
||||
containerSc: &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost, LocalhostProfile: getLocal("filename2")}},
|
||||
expectedProfile: &runtimeapi.SecurityProfile{
|
||||
ProfileType: runtimeapi.SecurityProfile_Localhost,
|
||||
LocalhostRef: filepath.Join(fakeSeccompProfileRoot, "filename2"),
|
||||
LocalhostRef: seccompLocalhostRef("filename2"),
|
||||
},
|
||||
},
|
||||
{
|
||||
@ -745,7 +753,7 @@ func TestGetSeccompProfile(t *testing.T) {
|
||||
containerName: "container1",
|
||||
expectedProfile: &runtimeapi.SecurityProfile{
|
||||
ProfileType: runtimeapi.SecurityProfile_Localhost,
|
||||
LocalhostRef: filepath.Join(fakeSeccompProfileRoot, "field-cont-profile.json"),
|
||||
LocalhostRef: seccompLocalhostRef("field-cont-profile.json"),
|
||||
},
|
||||
},
|
||||
}
|
||||
@ -805,7 +813,7 @@ func TestGetSeccompProfileDefaultSeccomp(t *testing.T) {
|
||||
podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost, LocalhostProfile: getLocal("filename")}},
|
||||
expectedProfile: &runtimeapi.SecurityProfile{
|
||||
ProfileType: runtimeapi.SecurityProfile_Localhost,
|
||||
LocalhostRef: filepath.Join(fakeSeccompProfileRoot, "filename"),
|
||||
LocalhostRef: seccompLocalhostRef("filename"),
|
||||
},
|
||||
},
|
||||
{
|
||||
@ -823,7 +831,7 @@ func TestGetSeccompProfileDefaultSeccomp(t *testing.T) {
|
||||
containerSc: &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost, LocalhostProfile: getLocal("filename2")}},
|
||||
expectedProfile: &runtimeapi.SecurityProfile{
|
||||
ProfileType: runtimeapi.SecurityProfile_Localhost,
|
||||
LocalhostRef: filepath.Join(fakeSeccompProfileRoot, "filename2"),
|
||||
LocalhostRef: seccompLocalhostRef("filename2"),
|
||||
},
|
||||
},
|
||||
{
|
||||
@ -839,7 +847,7 @@ func TestGetSeccompProfileDefaultSeccomp(t *testing.T) {
|
||||
containerName: "container1",
|
||||
expectedProfile: &runtimeapi.SecurityProfile{
|
||||
ProfileType: runtimeapi.SecurityProfile_Localhost,
|
||||
LocalhostRef: filepath.Join(fakeSeccompProfileRoot, "field-cont-profile.json"),
|
||||
LocalhostRef: seccompLocalhostRef("field-cont-profile.json"),
|
||||
},
|
||||
},
|
||||
}
|
||||
|
@ -20,6 +20,7 @@ import (
|
||||
"errors"
|
||||
"fmt"
|
||||
"os"
|
||||
"path/filepath"
|
||||
goruntime "runtime"
|
||||
"time"
|
||||
|
||||
@ -177,7 +178,7 @@ func NewKubeGenericRuntimeManager(
|
||||
livenessManager proberesults.Manager,
|
||||
readinessManager proberesults.Manager,
|
||||
startupManager proberesults.Manager,
|
||||
seccompProfileRoot string,
|
||||
rootDirectory string,
|
||||
machineInfo *cadvisorapi.MachineInfo,
|
||||
podStateProvider podStateProvider,
|
||||
osInterface kubecontainer.OSInterface,
|
||||
@ -206,7 +207,7 @@ func NewKubeGenericRuntimeManager(
|
||||
recorder: recorder,
|
||||
cpuCFSQuota: cpuCFSQuota,
|
||||
cpuCFSQuotaPeriod: cpuCFSQuotaPeriod,
|
||||
seccompProfileRoot: seccompProfileRoot,
|
||||
seccompProfileRoot: filepath.Join(rootDirectory, "seccomp"),
|
||||
livenessManager: livenessManager,
|
||||
readinessManager: readinessManager,
|
||||
startupManager: startupManager,
|
||||
|
@ -3384,8 +3384,7 @@ const (
|
||||
// SeccompProfileTypeRuntimeDefault represents the default container runtime seccomp profile.
|
||||
SeccompProfileTypeRuntimeDefault SeccompProfileType = "RuntimeDefault"
|
||||
// SeccompProfileTypeLocalhost indicates a profile defined in a file on the node should be used.
|
||||
// The file's location is based off the kubelet's deprecated flag --seccomp-profile-root.
|
||||
// Once the flag support is removed the location will be <kubelet-root-dir>/seccomp.
|
||||
// The file's location relative to <kubelet-root-dir>/seccomp.
|
||||
SeccompProfileTypeLocalhost SeccompProfileType = "Localhost"
|
||||
)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user