Merge pull request #103941 from saschagrunert/seccomp-profile-root

Remove deprecated `--seccomp-profile-root`/`seccompProfileRoot` config
This commit is contained in:
Kubernetes Prow Robot 2021-09-02 08:52:57 -07:00 committed by GitHub
commit 0b4a793da2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 37 additions and 40 deletions

View File

@ -20,7 +20,6 @@ package options
import (
"fmt"
_ "net/http/pprof" // Enable pprof HTTP handlers.
"path/filepath"
"runtime"
"strings"
@ -141,9 +140,6 @@ type KubeletFlags struct {
// This will cause the kubelet to listen to inotify events on the lock file,
// releasing it and exiting when another process tries to open that file.
ExitOnLockContention bool
// seccompProfileRoot is the directory path for seccomp profiles.
SeccompProfileRoot string
// DEPRECATED FLAGS
// minimumGCAge is the minimum age for a finished container before it is
// garbage collected.
@ -193,7 +189,6 @@ func NewKubeletFlags() *KubeletFlags {
RemoteRuntimeEndpoint: remoteRuntimeEndpoint,
NodeLabels: make(map[string]string),
RegisterNode: true,
SeccompProfileRoot: filepath.Join(defaultRootDir, "seccomp"),
}
}
@ -375,8 +370,6 @@ func (f *KubeletFlags) AddFlags(mainfs *pflag.FlagSet) {
fs.MarkDeprecated("keep-terminated-pod-volumes", "will be removed in a future version")
fs.BoolVar(&f.ReallyCrashForTesting, "really-crash-for-testing", f.ReallyCrashForTesting, "If true, when panics occur crash. Intended for testing.")
fs.MarkDeprecated("really-crash-for-testing", "will be removed in a future version.")
fs.StringVar(&f.SeccompProfileRoot, "seccomp-profile-root", f.SeccompProfileRoot, "<Warning: Alpha feature> Directory path for seccomp profiles.")
fs.MarkDeprecated("seccomp-profile-root", "will be removed in 1.23, in favor of using the `<root-dir>/seccomp` directory")
fs.StringVar(&f.ExperimentalMounterPath, "experimental-mounter-path", f.ExperimentalMounterPath, "[Experimental] Path of mounter binary. Leave empty to use the default mount.")
fs.MarkDeprecated("experimental-mounter-path", "will be removed in 1.23. in favor of using CSI.")
fs.BoolVar(&f.ExperimentalCheckNodeCapabilitiesBeforeMount, "experimental-check-node-capabilities-before-mount", f.ExperimentalCheckNodeCapabilitiesBeforeMount, "[Experimental] if set true, the kubelet will check the underlying node for required components (binaries, etc.) before performing the mount")

View File

@ -1183,7 +1183,6 @@ func RunKubelet(kubeServer *options.KubeletServer, kubeDeps *kubelet.Dependencie
kubeServer.RegisterSchedulable,
kubeServer.KeepTerminatedPodVolumes,
kubeServer.NodeLabels,
kubeServer.SeccompProfileRoot,
kubeServer.NodeStatusMaxImages,
kubeServer.KubeletFlags.SeccompDefault || kubeServer.KubeletConfiguration.SeccompDefault,
)
@ -1259,7 +1258,6 @@ func createAndInitKubelet(kubeCfg *kubeletconfiginternal.KubeletConfiguration,
registerSchedulable bool,
keepTerminatedPodVolumes bool,
nodeLabels map[string]string,
seccompProfileRoot string,
nodeStatusMaxImages int32,
seccompDefault bool,
) (k kubelet.Bootstrap, err error) {
@ -1294,7 +1292,6 @@ func createAndInitKubelet(kubeCfg *kubeletconfiginternal.KubeletConfiguration,
registerSchedulable,
keepTerminatedPodVolumes,
nodeLabels,
seccompProfileRoot,
nodeStatusMaxImages,
seccompDefault,
)

View File

@ -374,7 +374,6 @@ func NewMainKubelet(kubeCfg *kubeletconfiginternal.KubeletConfiguration,
registerSchedulable bool,
keepTerminatedPodVolumes bool,
nodeLabels map[string]string,
seccompProfileRoot string,
nodeStatusMaxImages int32,
seccompDefault bool,
) (*Kubelet, error) {
@ -665,7 +664,7 @@ func NewMainKubelet(kubeCfg *kubeletconfiginternal.KubeletConfiguration,
klet.livenessManager,
klet.readinessManager,
klet.startupManager,
seccompProfileRoot,
rootDirectory,
machineInfo,
klet.podWorkers,
kubeDeps.OSInterface,

View File

@ -31,6 +31,14 @@ import (
utilpointer "k8s.io/utils/pointer"
)
func seccompLocalhostRef(profileName string) string {
return filepath.Join(fakeSeccompProfileRoot, profileName)
}
func seccompLocalhostPath(profileName string) string {
return "localhost/" + seccompLocalhostRef(profileName)
}
func TestStableKey(t *testing.T) {
container := &v1.Container{
Name: "test_container",
@ -353,7 +361,7 @@ func TestGetSeccompProfilePath(t *testing.T) {
annotation: map[string]string{
v1.SeccompPodAnnotationKey: "localhost/chmod.json",
},
expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "chmod.json"),
expectedProfile: seccompLocalhostPath("chmod.json"),
},
{
description: "annotations: pod localhost seccomp profile with containerName should return local profile path",
@ -361,7 +369,7 @@ func TestGetSeccompProfilePath(t *testing.T) {
v1.SeccompPodAnnotationKey: "localhost/chmod.json",
},
containerName: "container1",
expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "chmod.json"),
expectedProfile: seccompLocalhostPath("chmod.json"),
},
{
description: "annotations: container localhost seccomp profile with containerName should return local profile path",
@ -369,7 +377,7 @@ func TestGetSeccompProfilePath(t *testing.T) {
v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/chmod.json",
},
containerName: "container1",
expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "chmod.json"),
expectedProfile: seccompLocalhostPath("chmod.json"),
},
{
description: "annotations: container localhost seccomp profile should override pod profile",
@ -378,7 +386,7 @@ func TestGetSeccompProfilePath(t *testing.T) {
v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/chmod.json",
},
containerName: "container1",
expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "chmod.json"),
expectedProfile: seccompLocalhostPath("chmod.json"),
},
{
description: "annotations: container localhost seccomp profile with unmatched containerName should return empty",
@ -411,7 +419,7 @@ func TestGetSeccompProfilePath(t *testing.T) {
{
description: "pod seccomp profile set to SeccompProfileTypeLocalhost returns 'localhost/' + LocalhostProfile",
podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost, LocalhostProfile: getLocal("filename")}},
expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "filename"),
expectedProfile: seccompLocalhostPath("filename"),
},
{
description: "pod seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns empty",
@ -426,7 +434,7 @@ func TestGetSeccompProfilePath(t *testing.T) {
{
description: "container seccomp profile set to SeccompProfileTypeLocalhost returns 'localhost/' + LocalhostProfile",
containerSc: &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost, LocalhostProfile: getLocal("filename2")}},
expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "filename2"),
expectedProfile: seccompLocalhostPath("filename2"),
},
{
description: "prioritise container field over pod field",
@ -443,7 +451,7 @@ func TestGetSeccompProfilePath(t *testing.T) {
v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/annota-cont-profile.json",
},
containerName: "container1",
expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "field-cont-profile.json"),
expectedProfile: seccompLocalhostPath("field-cont-profile.json"),
},
{
description: "prioritise container annotation over pod field",
@ -453,7 +461,7 @@ func TestGetSeccompProfilePath(t *testing.T) {
v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/annota-cont-profile.json",
},
containerName: "container1",
expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "annota-cont-profile.json"),
expectedProfile: seccompLocalhostPath("annota-cont-profile.json"),
},
{
description: "prioritise pod field over pod annotation",
@ -462,7 +470,7 @@ func TestGetSeccompProfilePath(t *testing.T) {
v1.SeccompPodAnnotationKey: "localhost/annota-pod-profile.json",
},
containerName: "container1",
expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "field-pod-profile.json"),
expectedProfile: seccompLocalhostPath("field-pod-profile.json"),
},
}
@ -543,7 +551,7 @@ func TestGetSeccompProfilePathDefaultSeccomp(t *testing.T) {
annotation: map[string]string{
v1.SeccompPodAnnotationKey: "localhost/chmod.json",
},
expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "chmod.json"),
expectedProfile: seccompLocalhostPath("chmod.json"),
},
{
description: "annotations: pod localhost seccomp profile with containerName should return local profile path",
@ -551,7 +559,7 @@ func TestGetSeccompProfilePathDefaultSeccomp(t *testing.T) {
v1.SeccompPodAnnotationKey: "localhost/chmod.json",
},
containerName: "container1",
expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "chmod.json"),
expectedProfile: seccompLocalhostPath("chmod.json"),
},
{
description: "annotations: container localhost seccomp profile with containerName should return local profile path",
@ -559,7 +567,7 @@ func TestGetSeccompProfilePathDefaultSeccomp(t *testing.T) {
v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/chmod.json",
},
containerName: "container1",
expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "chmod.json"),
expectedProfile: seccompLocalhostPath("chmod.json"),
},
{
description: "annotations: container localhost seccomp profile should override pod profile",
@ -568,7 +576,7 @@ func TestGetSeccompProfilePathDefaultSeccomp(t *testing.T) {
v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/chmod.json",
},
containerName: "container1",
expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "chmod.json"),
expectedProfile: seccompLocalhostPath("chmod.json"),
},
{
description: "annotations: container localhost seccomp profile with unmatched containerName should return runtime/default",
@ -601,7 +609,7 @@ func TestGetSeccompProfilePathDefaultSeccomp(t *testing.T) {
{
description: "pod seccomp profile set to SeccompProfileTypeLocalhost returns 'localhost/' + LocalhostProfile",
podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost, LocalhostProfile: getLocal("filename")}},
expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "filename"),
expectedProfile: seccompLocalhostPath("filename"),
},
{
description: "pod seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns runtime/default",
@ -616,7 +624,7 @@ func TestGetSeccompProfilePathDefaultSeccomp(t *testing.T) {
{
description: "container seccomp profile set to SeccompProfileTypeLocalhost returns 'localhost/' + LocalhostProfile",
containerSc: &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost, LocalhostProfile: getLocal("filename2")}},
expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "filename2"),
expectedProfile: seccompLocalhostPath("filename2"),
},
{
description: "prioritise container field over pod field",
@ -633,7 +641,7 @@ func TestGetSeccompProfilePathDefaultSeccomp(t *testing.T) {
v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/annota-cont-profile.json",
},
containerName: "container1",
expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "field-cont-profile.json"),
expectedProfile: seccompLocalhostPath("field-cont-profile.json"),
},
{
description: "prioritise container annotation over pod field",
@ -643,7 +651,7 @@ func TestGetSeccompProfilePathDefaultSeccomp(t *testing.T) {
v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/annota-cont-profile.json",
},
containerName: "container1",
expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "annota-cont-profile.json"),
expectedProfile: seccompLocalhostPath("annota-cont-profile.json"),
},
{
description: "prioritise pod field over pod annotation",
@ -652,7 +660,7 @@ func TestGetSeccompProfilePathDefaultSeccomp(t *testing.T) {
v1.SeccompPodAnnotationKey: "localhost/annota-pod-profile.json",
},
containerName: "container1",
expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "field-pod-profile.json"),
expectedProfile: seccompLocalhostPath("field-pod-profile.json"),
},
}
@ -711,7 +719,7 @@ func TestGetSeccompProfile(t *testing.T) {
podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost, LocalhostProfile: getLocal("filename")}},
expectedProfile: &runtimeapi.SecurityProfile{
ProfileType: runtimeapi.SecurityProfile_Localhost,
LocalhostRef: filepath.Join(fakeSeccompProfileRoot, "filename"),
LocalhostRef: seccompLocalhostRef("filename"),
},
},
{
@ -729,7 +737,7 @@ func TestGetSeccompProfile(t *testing.T) {
containerSc: &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost, LocalhostProfile: getLocal("filename2")}},
expectedProfile: &runtimeapi.SecurityProfile{
ProfileType: runtimeapi.SecurityProfile_Localhost,
LocalhostRef: filepath.Join(fakeSeccompProfileRoot, "filename2"),
LocalhostRef: seccompLocalhostRef("filename2"),
},
},
{
@ -745,7 +753,7 @@ func TestGetSeccompProfile(t *testing.T) {
containerName: "container1",
expectedProfile: &runtimeapi.SecurityProfile{
ProfileType: runtimeapi.SecurityProfile_Localhost,
LocalhostRef: filepath.Join(fakeSeccompProfileRoot, "field-cont-profile.json"),
LocalhostRef: seccompLocalhostRef("field-cont-profile.json"),
},
},
}
@ -805,7 +813,7 @@ func TestGetSeccompProfileDefaultSeccomp(t *testing.T) {
podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost, LocalhostProfile: getLocal("filename")}},
expectedProfile: &runtimeapi.SecurityProfile{
ProfileType: runtimeapi.SecurityProfile_Localhost,
LocalhostRef: filepath.Join(fakeSeccompProfileRoot, "filename"),
LocalhostRef: seccompLocalhostRef("filename"),
},
},
{
@ -823,7 +831,7 @@ func TestGetSeccompProfileDefaultSeccomp(t *testing.T) {
containerSc: &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost, LocalhostProfile: getLocal("filename2")}},
expectedProfile: &runtimeapi.SecurityProfile{
ProfileType: runtimeapi.SecurityProfile_Localhost,
LocalhostRef: filepath.Join(fakeSeccompProfileRoot, "filename2"),
LocalhostRef: seccompLocalhostRef("filename2"),
},
},
{
@ -839,7 +847,7 @@ func TestGetSeccompProfileDefaultSeccomp(t *testing.T) {
containerName: "container1",
expectedProfile: &runtimeapi.SecurityProfile{
ProfileType: runtimeapi.SecurityProfile_Localhost,
LocalhostRef: filepath.Join(fakeSeccompProfileRoot, "field-cont-profile.json"),
LocalhostRef: seccompLocalhostRef("field-cont-profile.json"),
},
},
}

View File

@ -20,6 +20,7 @@ import (
"errors"
"fmt"
"os"
"path/filepath"
goruntime "runtime"
"time"
@ -177,7 +178,7 @@ func NewKubeGenericRuntimeManager(
livenessManager proberesults.Manager,
readinessManager proberesults.Manager,
startupManager proberesults.Manager,
seccompProfileRoot string,
rootDirectory string,
machineInfo *cadvisorapi.MachineInfo,
podStateProvider podStateProvider,
osInterface kubecontainer.OSInterface,
@ -206,7 +207,7 @@ func NewKubeGenericRuntimeManager(
recorder: recorder,
cpuCFSQuota: cpuCFSQuota,
cpuCFSQuotaPeriod: cpuCFSQuotaPeriod,
seccompProfileRoot: seccompProfileRoot,
seccompProfileRoot: filepath.Join(rootDirectory, "seccomp"),
livenessManager: livenessManager,
readinessManager: readinessManager,
startupManager: startupManager,

View File

@ -3384,8 +3384,7 @@ const (
// SeccompProfileTypeRuntimeDefault represents the default container runtime seccomp profile.
SeccompProfileTypeRuntimeDefault SeccompProfileType = "RuntimeDefault"
// SeccompProfileTypeLocalhost indicates a profile defined in a file on the node should be used.
// The file's location is based off the kubelet's deprecated flag --seccomp-profile-root.
// Once the flag support is removed the location will be <kubelet-root-dir>/seccomp.
// The file's location relative to <kubelet-root-dir>/seccomp.
SeccompProfileTypeLocalhost SeccompProfileType = "Localhost"
)