From 6351e2520313b724e5ebd2d9a5bfe543d2e848d3 Mon Sep 17 00:00:00 2001 From: Zhen Wang Date: Tue, 15 May 2018 09:39:37 -0700 Subject: [PATCH] Use runtime/default as default seccomp profile for unprivileged PodSecurityPolicy --- .../fluentd-gcp/podsecuritypolicies/event-exporter-psp.yaml | 4 ++-- .../fluentd-gcp/podsecuritypolicies/fluentd-gcp-psp.yaml | 4 ++-- .../addons/podsecuritypolicies/persistent-volume-binder.yaml | 4 ++-- .../gce/addons/podsecuritypolicies/unprivileged-addon.yaml | 4 ++-- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/cluster/addons/fluentd-gcp/podsecuritypolicies/event-exporter-psp.yaml b/cluster/addons/fluentd-gcp/podsecuritypolicies/event-exporter-psp.yaml index d08d39312e5..319f3f5a091 100644 --- a/cluster/addons/fluentd-gcp/podsecuritypolicies/event-exporter-psp.yaml +++ b/cluster/addons/fluentd-gcp/podsecuritypolicies/event-exporter-psp.yaml @@ -4,8 +4,8 @@ metadata: name: gce.event-exporter annotations: kubernetes.io/description: 'Policy used by the event-exporter addon.' - # TODO: event-exporter should run with the default seccomp profile - seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default,docker/default' # 'runtime/default' is already the default, but must be filled in on the # pod to pass admission. apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' diff --git a/cluster/addons/fluentd-gcp/podsecuritypolicies/fluentd-gcp-psp.yaml b/cluster/addons/fluentd-gcp/podsecuritypolicies/fluentd-gcp-psp.yaml index e9616473363..495ea5a33b1 100644 --- a/cluster/addons/fluentd-gcp/podsecuritypolicies/fluentd-gcp-psp.yaml +++ b/cluster/addons/fluentd-gcp/podsecuritypolicies/fluentd-gcp-psp.yaml @@ -4,8 +4,8 @@ metadata: name: gce.fluentd-gcp annotations: kubernetes.io/description: 'Policy used by the fluentd-gcp addon.' - # TODO: fluentd-gcp should run with the default seccomp profile - seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default,docker/default' # 'runtime/default' is already the default, but must be filled in on the # pod to pass admission. apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' diff --git a/cluster/gce/addons/podsecuritypolicies/persistent-volume-binder.yaml b/cluster/gce/addons/podsecuritypolicies/persistent-volume-binder.yaml index 68b1a8f733e..bcb51caa90d 100644 --- a/cluster/gce/addons/podsecuritypolicies/persistent-volume-binder.yaml +++ b/cluster/gce/addons/podsecuritypolicies/persistent-volume-binder.yaml @@ -5,8 +5,8 @@ metadata: annotations: kubernetes.io/description: 'Policy used by the persistent-volume-binder (a.k.a. persistentvolume-controller) to run recycler pods.' - # TODO: This should use the default seccomp profile. - seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default,docker/default' labels: kubernetes.io/cluster-service: 'true' addonmanager.kubernetes.io/mode: Reconcile diff --git a/cluster/gce/addons/podsecuritypolicies/unprivileged-addon.yaml b/cluster/gce/addons/podsecuritypolicies/unprivileged-addon.yaml index 9df16efbaf4..a35258a348e 100644 --- a/cluster/gce/addons/podsecuritypolicies/unprivileged-addon.yaml +++ b/cluster/gce/addons/podsecuritypolicies/unprivileged-addon.yaml @@ -7,8 +7,8 @@ metadata: privilege necessary to run non-privileged kube-system pods. This policy is not intended for use outside of kube-system, and may include further restrictions in the future.' - # TODO: Addons should use the default seccomp profile. - seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default,docker/default' # 'runtime/default' is already the default, but must be filled in on the # pod to pass admission. apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'