From 46077e6be7c7b435c3c8c2bcf20697b237deed60 Mon Sep 17 00:00:00 2001 From: Sascha Grunert Date: Tue, 27 Jul 2021 14:22:05 +0200 Subject: [PATCH] Remove deprecated `--seccomp-profile-root`/`seccompProfileRoot` configuration The configuration is deprecated and targets removal for v1.23. Tests cases have been changed as well. Signed-off-by: Sascha Grunert --- cmd/kubelet/app/options/options.go | 7 --- cmd/kubelet/app/server.go | 3 - pkg/kubelet/kubelet.go | 3 +- pkg/kubelet/kuberuntime/helpers_test.go | 56 +++++++++++-------- .../kuberuntime/kuberuntime_manager.go | 5 +- staging/src/k8s.io/api/core/v1/types.go | 3 +- 6 files changed, 37 insertions(+), 40 deletions(-) diff --git a/cmd/kubelet/app/options/options.go b/cmd/kubelet/app/options/options.go index 3d684e6e8e5..2aa3fc98033 100644 --- a/cmd/kubelet/app/options/options.go +++ b/cmd/kubelet/app/options/options.go @@ -20,7 +20,6 @@ package options import ( "fmt" _ "net/http/pprof" // Enable pprof HTTP handlers. - "path/filepath" "runtime" "strings" @@ -141,9 +140,6 @@ type KubeletFlags struct { // This will cause the kubelet to listen to inotify events on the lock file, // releasing it and exiting when another process tries to open that file. ExitOnLockContention bool - // seccompProfileRoot is the directory path for seccomp profiles. - SeccompProfileRoot string - // DEPRECATED FLAGS // minimumGCAge is the minimum age for a finished container before it is // garbage collected. @@ -193,7 +189,6 @@ func NewKubeletFlags() *KubeletFlags { RemoteRuntimeEndpoint: remoteRuntimeEndpoint, NodeLabels: make(map[string]string), RegisterNode: true, - SeccompProfileRoot: filepath.Join(defaultRootDir, "seccomp"), } } @@ -375,8 +370,6 @@ func (f *KubeletFlags) AddFlags(mainfs *pflag.FlagSet) { fs.MarkDeprecated("keep-terminated-pod-volumes", "will be removed in a future version") fs.BoolVar(&f.ReallyCrashForTesting, "really-crash-for-testing", f.ReallyCrashForTesting, "If true, when panics occur crash. Intended for testing.") fs.MarkDeprecated("really-crash-for-testing", "will be removed in a future version.") - fs.StringVar(&f.SeccompProfileRoot, "seccomp-profile-root", f.SeccompProfileRoot, " Directory path for seccomp profiles.") - fs.MarkDeprecated("seccomp-profile-root", "will be removed in 1.23, in favor of using the `/seccomp` directory") fs.StringVar(&f.ExperimentalMounterPath, "experimental-mounter-path", f.ExperimentalMounterPath, "[Experimental] Path of mounter binary. Leave empty to use the default mount.") fs.MarkDeprecated("experimental-mounter-path", "will be removed in 1.23. in favor of using CSI.") fs.BoolVar(&f.ExperimentalCheckNodeCapabilitiesBeforeMount, "experimental-check-node-capabilities-before-mount", f.ExperimentalCheckNodeCapabilitiesBeforeMount, "[Experimental] if set true, the kubelet will check the underlying node for required components (binaries, etc.) before performing the mount") diff --git a/cmd/kubelet/app/server.go b/cmd/kubelet/app/server.go index 0522aae5141..d3b2b677e51 100644 --- a/cmd/kubelet/app/server.go +++ b/cmd/kubelet/app/server.go @@ -1183,7 +1183,6 @@ func RunKubelet(kubeServer *options.KubeletServer, kubeDeps *kubelet.Dependencie kubeServer.RegisterSchedulable, kubeServer.KeepTerminatedPodVolumes, kubeServer.NodeLabels, - kubeServer.SeccompProfileRoot, kubeServer.NodeStatusMaxImages, kubeServer.KubeletFlags.SeccompDefault || kubeServer.KubeletConfiguration.SeccompDefault, ) @@ -1259,7 +1258,6 @@ func createAndInitKubelet(kubeCfg *kubeletconfiginternal.KubeletConfiguration, registerSchedulable bool, keepTerminatedPodVolumes bool, nodeLabels map[string]string, - seccompProfileRoot string, nodeStatusMaxImages int32, seccompDefault bool, ) (k kubelet.Bootstrap, err error) { @@ -1294,7 +1292,6 @@ func createAndInitKubelet(kubeCfg *kubeletconfiginternal.KubeletConfiguration, registerSchedulable, keepTerminatedPodVolumes, nodeLabels, - seccompProfileRoot, nodeStatusMaxImages, seccompDefault, ) diff --git a/pkg/kubelet/kubelet.go b/pkg/kubelet/kubelet.go index 844074eb3ad..9498eb47279 100644 --- a/pkg/kubelet/kubelet.go +++ b/pkg/kubelet/kubelet.go @@ -374,7 +374,6 @@ func NewMainKubelet(kubeCfg *kubeletconfiginternal.KubeletConfiguration, registerSchedulable bool, keepTerminatedPodVolumes bool, nodeLabels map[string]string, - seccompProfileRoot string, nodeStatusMaxImages int32, seccompDefault bool, ) (*Kubelet, error) { @@ -665,7 +664,7 @@ func NewMainKubelet(kubeCfg *kubeletconfiginternal.KubeletConfiguration, klet.livenessManager, klet.readinessManager, klet.startupManager, - seccompProfileRoot, + rootDirectory, machineInfo, klet.podWorkers, kubeDeps.OSInterface, diff --git a/pkg/kubelet/kuberuntime/helpers_test.go b/pkg/kubelet/kuberuntime/helpers_test.go index 90244d50f22..7cc6298e636 100644 --- a/pkg/kubelet/kuberuntime/helpers_test.go +++ b/pkg/kubelet/kuberuntime/helpers_test.go @@ -31,6 +31,14 @@ import ( utilpointer "k8s.io/utils/pointer" ) +func seccompLocalhostRef(profileName string) string { + return filepath.Join(fakeSeccompProfileRoot, profileName) +} + +func seccompLocalhostPath(profileName string) string { + return "localhost/" + seccompLocalhostRef(profileName) +} + func TestStableKey(t *testing.T) { container := &v1.Container{ Name: "test_container", @@ -353,7 +361,7 @@ func TestGetSeccompProfilePath(t *testing.T) { annotation: map[string]string{ v1.SeccompPodAnnotationKey: "localhost/chmod.json", }, - expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "chmod.json"), + expectedProfile: seccompLocalhostPath("chmod.json"), }, { description: "annotations: pod localhost seccomp profile with containerName should return local profile path", @@ -361,7 +369,7 @@ func TestGetSeccompProfilePath(t *testing.T) { v1.SeccompPodAnnotationKey: "localhost/chmod.json", }, containerName: "container1", - expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "chmod.json"), + expectedProfile: seccompLocalhostPath("chmod.json"), }, { description: "annotations: container localhost seccomp profile with containerName should return local profile path", @@ -369,7 +377,7 @@ func TestGetSeccompProfilePath(t *testing.T) { v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/chmod.json", }, containerName: "container1", - expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "chmod.json"), + expectedProfile: seccompLocalhostPath("chmod.json"), }, { description: "annotations: container localhost seccomp profile should override pod profile", @@ -378,7 +386,7 @@ func TestGetSeccompProfilePath(t *testing.T) { v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/chmod.json", }, containerName: "container1", - expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "chmod.json"), + expectedProfile: seccompLocalhostPath("chmod.json"), }, { description: "annotations: container localhost seccomp profile with unmatched containerName should return empty", @@ -411,7 +419,7 @@ func TestGetSeccompProfilePath(t *testing.T) { { description: "pod seccomp profile set to SeccompProfileTypeLocalhost returns 'localhost/' + LocalhostProfile", podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost, LocalhostProfile: getLocal("filename")}}, - expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "filename"), + expectedProfile: seccompLocalhostPath("filename"), }, { description: "pod seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns empty", @@ -426,7 +434,7 @@ func TestGetSeccompProfilePath(t *testing.T) { { description: "container seccomp profile set to SeccompProfileTypeLocalhost returns 'localhost/' + LocalhostProfile", containerSc: &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost, LocalhostProfile: getLocal("filename2")}}, - expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "filename2"), + expectedProfile: seccompLocalhostPath("filename2"), }, { description: "prioritise container field over pod field", @@ -443,7 +451,7 @@ func TestGetSeccompProfilePath(t *testing.T) { v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/annota-cont-profile.json", }, containerName: "container1", - expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "field-cont-profile.json"), + expectedProfile: seccompLocalhostPath("field-cont-profile.json"), }, { description: "prioritise container annotation over pod field", @@ -453,7 +461,7 @@ func TestGetSeccompProfilePath(t *testing.T) { v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/annota-cont-profile.json", }, containerName: "container1", - expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "annota-cont-profile.json"), + expectedProfile: seccompLocalhostPath("annota-cont-profile.json"), }, { description: "prioritise pod field over pod annotation", @@ -462,7 +470,7 @@ func TestGetSeccompProfilePath(t *testing.T) { v1.SeccompPodAnnotationKey: "localhost/annota-pod-profile.json", }, containerName: "container1", - expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "field-pod-profile.json"), + expectedProfile: seccompLocalhostPath("field-pod-profile.json"), }, } @@ -543,7 +551,7 @@ func TestGetSeccompProfilePathDefaultSeccomp(t *testing.T) { annotation: map[string]string{ v1.SeccompPodAnnotationKey: "localhost/chmod.json", }, - expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "chmod.json"), + expectedProfile: seccompLocalhostPath("chmod.json"), }, { description: "annotations: pod localhost seccomp profile with containerName should return local profile path", @@ -551,7 +559,7 @@ func TestGetSeccompProfilePathDefaultSeccomp(t *testing.T) { v1.SeccompPodAnnotationKey: "localhost/chmod.json", }, containerName: "container1", - expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "chmod.json"), + expectedProfile: seccompLocalhostPath("chmod.json"), }, { description: "annotations: container localhost seccomp profile with containerName should return local profile path", @@ -559,7 +567,7 @@ func TestGetSeccompProfilePathDefaultSeccomp(t *testing.T) { v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/chmod.json", }, containerName: "container1", - expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "chmod.json"), + expectedProfile: seccompLocalhostPath("chmod.json"), }, { description: "annotations: container localhost seccomp profile should override pod profile", @@ -568,7 +576,7 @@ func TestGetSeccompProfilePathDefaultSeccomp(t *testing.T) { v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/chmod.json", }, containerName: "container1", - expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "chmod.json"), + expectedProfile: seccompLocalhostPath("chmod.json"), }, { description: "annotations: container localhost seccomp profile with unmatched containerName should return runtime/default", @@ -601,7 +609,7 @@ func TestGetSeccompProfilePathDefaultSeccomp(t *testing.T) { { description: "pod seccomp profile set to SeccompProfileTypeLocalhost returns 'localhost/' + LocalhostProfile", podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost, LocalhostProfile: getLocal("filename")}}, - expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "filename"), + expectedProfile: seccompLocalhostPath("filename"), }, { description: "pod seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns runtime/default", @@ -616,7 +624,7 @@ func TestGetSeccompProfilePathDefaultSeccomp(t *testing.T) { { description: "container seccomp profile set to SeccompProfileTypeLocalhost returns 'localhost/' + LocalhostProfile", containerSc: &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost, LocalhostProfile: getLocal("filename2")}}, - expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "filename2"), + expectedProfile: seccompLocalhostPath("filename2"), }, { description: "prioritise container field over pod field", @@ -633,7 +641,7 @@ func TestGetSeccompProfilePathDefaultSeccomp(t *testing.T) { v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/annota-cont-profile.json", }, containerName: "container1", - expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "field-cont-profile.json"), + expectedProfile: seccompLocalhostPath("field-cont-profile.json"), }, { description: "prioritise container annotation over pod field", @@ -643,7 +651,7 @@ func TestGetSeccompProfilePathDefaultSeccomp(t *testing.T) { v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/annota-cont-profile.json", }, containerName: "container1", - expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "annota-cont-profile.json"), + expectedProfile: seccompLocalhostPath("annota-cont-profile.json"), }, { description: "prioritise pod field over pod annotation", @@ -652,7 +660,7 @@ func TestGetSeccompProfilePathDefaultSeccomp(t *testing.T) { v1.SeccompPodAnnotationKey: "localhost/annota-pod-profile.json", }, containerName: "container1", - expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "field-pod-profile.json"), + expectedProfile: seccompLocalhostPath("field-pod-profile.json"), }, } @@ -711,7 +719,7 @@ func TestGetSeccompProfile(t *testing.T) { podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost, LocalhostProfile: getLocal("filename")}}, expectedProfile: &runtimeapi.SecurityProfile{ ProfileType: runtimeapi.SecurityProfile_Localhost, - LocalhostRef: filepath.Join(fakeSeccompProfileRoot, "filename"), + LocalhostRef: seccompLocalhostRef("filename"), }, }, { @@ -729,7 +737,7 @@ func TestGetSeccompProfile(t *testing.T) { containerSc: &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost, LocalhostProfile: getLocal("filename2")}}, expectedProfile: &runtimeapi.SecurityProfile{ ProfileType: runtimeapi.SecurityProfile_Localhost, - LocalhostRef: filepath.Join(fakeSeccompProfileRoot, "filename2"), + LocalhostRef: seccompLocalhostRef("filename2"), }, }, { @@ -745,7 +753,7 @@ func TestGetSeccompProfile(t *testing.T) { containerName: "container1", expectedProfile: &runtimeapi.SecurityProfile{ ProfileType: runtimeapi.SecurityProfile_Localhost, - LocalhostRef: filepath.Join(fakeSeccompProfileRoot, "field-cont-profile.json"), + LocalhostRef: seccompLocalhostRef("field-cont-profile.json"), }, }, } @@ -805,7 +813,7 @@ func TestGetSeccompProfileDefaultSeccomp(t *testing.T) { podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost, LocalhostProfile: getLocal("filename")}}, expectedProfile: &runtimeapi.SecurityProfile{ ProfileType: runtimeapi.SecurityProfile_Localhost, - LocalhostRef: filepath.Join(fakeSeccompProfileRoot, "filename"), + LocalhostRef: seccompLocalhostRef("filename"), }, }, { @@ -823,7 +831,7 @@ func TestGetSeccompProfileDefaultSeccomp(t *testing.T) { containerSc: &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost, LocalhostProfile: getLocal("filename2")}}, expectedProfile: &runtimeapi.SecurityProfile{ ProfileType: runtimeapi.SecurityProfile_Localhost, - LocalhostRef: filepath.Join(fakeSeccompProfileRoot, "filename2"), + LocalhostRef: seccompLocalhostRef("filename2"), }, }, { @@ -839,7 +847,7 @@ func TestGetSeccompProfileDefaultSeccomp(t *testing.T) { containerName: "container1", expectedProfile: &runtimeapi.SecurityProfile{ ProfileType: runtimeapi.SecurityProfile_Localhost, - LocalhostRef: filepath.Join(fakeSeccompProfileRoot, "field-cont-profile.json"), + LocalhostRef: seccompLocalhostRef("field-cont-profile.json"), }, }, } diff --git a/pkg/kubelet/kuberuntime/kuberuntime_manager.go b/pkg/kubelet/kuberuntime/kuberuntime_manager.go index 8118479a976..2943517bd06 100644 --- a/pkg/kubelet/kuberuntime/kuberuntime_manager.go +++ b/pkg/kubelet/kuberuntime/kuberuntime_manager.go @@ -20,6 +20,7 @@ import ( "errors" "fmt" "os" + "path/filepath" goruntime "runtime" "time" @@ -177,7 +178,7 @@ func NewKubeGenericRuntimeManager( livenessManager proberesults.Manager, readinessManager proberesults.Manager, startupManager proberesults.Manager, - seccompProfileRoot string, + rootDirectory string, machineInfo *cadvisorapi.MachineInfo, podStateProvider podStateProvider, osInterface kubecontainer.OSInterface, @@ -206,7 +207,7 @@ func NewKubeGenericRuntimeManager( recorder: recorder, cpuCFSQuota: cpuCFSQuota, cpuCFSQuotaPeriod: cpuCFSQuotaPeriod, - seccompProfileRoot: seccompProfileRoot, + seccompProfileRoot: filepath.Join(rootDirectory, "seccomp"), livenessManager: livenessManager, readinessManager: readinessManager, startupManager: startupManager, diff --git a/staging/src/k8s.io/api/core/v1/types.go b/staging/src/k8s.io/api/core/v1/types.go index ec948c3bbe1..02d4dd0cd74 100644 --- a/staging/src/k8s.io/api/core/v1/types.go +++ b/staging/src/k8s.io/api/core/v1/types.go @@ -3384,8 +3384,7 @@ const ( // SeccompProfileTypeRuntimeDefault represents the default container runtime seccomp profile. SeccompProfileTypeRuntimeDefault SeccompProfileType = "RuntimeDefault" // SeccompProfileTypeLocalhost indicates a profile defined in a file on the node should be used. - // The file's location is based off the kubelet's deprecated flag --seccomp-profile-root. - // Once the flag support is removed the location will be /seccomp. + // The file's location relative to /seccomp. SeccompProfileTypeLocalhost SeccompProfileType = "Localhost" )