Fix seccomp PSP docker/default annotation handling

With the graduation of seccomp to GA we automatically convert the deprecated seccomp profile annotation `docker/default` to `runtime/default`. This means that we now have to automatically allow `runtime/default` if a user specifies `docker/default` and vice versa in an allowed PSP seccomp profile. Signed-off-by: Sascha Grunert <sgrunert@suse.com>
2025-07-20 10:20:51 +00:00 · 2020-10-29 11:33:41 +01:00 · 2020-10-29 11:33:41 +01:00 · 5588f025e2
commit 5588f025e2
parent 518b826b1d
3 changed files with 32 additions and 1 deletions
--- a/pkg/security/podsecuritypolicy/seccomp/BUILD
+++ b/pkg/security/podsecuritypolicy/seccomp/BUILD
@ -13,6 +13,7 @@ go_library(
    deps = [
        "//pkg/api/pod:go_default_library",
        "//pkg/apis/core:go_default_library",
+        "//staging/src/k8s.io/api/core/v1:go_default_library",
        "//staging/src/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
    ],
 )
--- a/pkg/security/podsecuritypolicy/seccomp/strategy.go
+++ b/pkg/security/podsecuritypolicy/seccomp/strategy.go
@ -20,6 +20,7 @@ import (
 	"fmt"
 	"strings"

+	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	podutil "k8s.io/kubernetes/pkg/api/pod"
 	api "k8s.io/kubernetes/pkg/apis/core"
@ -67,6 +68,15 @@ func NewStrategy(pspAnnotations map[string]string) Strategy {
 				allowAnyProfile = true
 				continue
 			}
+			// With the graduation of seccomp to GA we automatically convert
+			// the deprecated seccomp profile annotation `docker/default` to
+			// `runtime/default`. This means that we now have to automatically
+			// allow `runtime/default` if a user specifies `docker/default` and
+			// vice versa in a PSP.
+			if p == v1.DeprecatedSeccompProfileDockerDefault || p == v1.SeccompProfileRuntimeDefault {
+				allowedProfiles[v1.SeccompProfileRuntimeDefault] = true
+				allowedProfiles[v1.DeprecatedSeccompProfileDockerDefault] = true
+			}
 			allowedProfiles[p] = true
 		}
 	}
--- a/pkg/security/podsecuritypolicy/seccomp/strategy_test.go
+++ b/pkg/security/podsecuritypolicy/seccomp/strategy_test.go
@ -21,7 +21,7 @@ import (
 	"strings"
 	"testing"

-	"k8s.io/api/core/v1"
+	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	api "k8s.io/kubernetes/pkg/apis/core"
 )
@ -45,6 +45,12 @@ var (
 	allowSpecificLocalhost = map[string]string{
 		AllowedProfilesAnnotationKey: v1.SeccompLocalhostProfileNamePrefix + "foo",
 	}
+	allowSpecificDockerDefault = map[string]string{
+		AllowedProfilesAnnotationKey: v1.DeprecatedSeccompProfileDockerDefault,
+	}
+	allowSpecificRuntimeDefault = map[string]string{
+		AllowedProfilesAnnotationKey: v1.SeccompProfileRuntimeDefault,
+	}
 )

 func TestNewStrategy(t *testing.T) {
@ -256,6 +262,20 @@ func TestValidatePod(t *testing.T) {
 			},
 			expectedError: "",
 		},
+		"docker/default PSP annotation automatically allows runtime/default pods": {
+			pspAnnotations: allowSpecificDockerDefault,
+			podAnnotations: map[string]string{
+				api.SeccompPodAnnotationKey: v1.SeccompProfileRuntimeDefault,
+			},
+			expectedError: "",
+		},
+		"runtime/default PSP annotation automatically allows docker/default pods": {
+			pspAnnotations: allowSpecificRuntimeDefault,
+			podAnnotations: map[string]string{
+				api.SeccompPodAnnotationKey: v1.DeprecatedSeccompProfileDockerDefault,
+			},
+			expectedError: "",
+		},
 	}
 	for k, v := range tests {
 		pod := &api.Pod{