mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-24 12:15:52 +00:00
Merge pull request #26710 from sttts/sttts-fix-seccomp-annotations
Automatic merge from submit-queue Move /seccomp/ into domain prefix in seccomp annotations Fixes #26610. /cc @mdshuai @ncdc @jfrazelle
This commit is contained in:
commit
911e84ed1e
@ -202,11 +202,11 @@ use annotations instead of extending the API with new fields.
|
||||
In the alpha version of this feature we will use annotations to store the
|
||||
names of seccomp profiles. The keys will be:
|
||||
|
||||
`security.alpha.kubernetes.io/seccomp/container/<container name>`
|
||||
`container.seccomp.security.alpha.kubernetes.io/<container name>`
|
||||
|
||||
which will be used to set the seccomp profile of a container, and:
|
||||
|
||||
`security.alpha.kubernetes.io/seccomp/pod`
|
||||
`seccomp.security.alpha.kubernetes.io/pod`
|
||||
|
||||
which will set the seccomp profile for the containers of an entire pod. If a
|
||||
pod-level annotation is present, and a container-level annotation present for
|
||||
@ -240,7 +240,7 @@ subdirectory of the kubelet root directory.
|
||||
|
||||
The `PodSecurityPolicy` type should be annotated with the allowed seccomp
|
||||
profiles using the key
|
||||
`security.alpha.kubernetes.io/allowedSeccompProfileNames`. The value of this
|
||||
`seccomp.security.alpha.kubernetes.io/allowedProfileNames`. The value of this
|
||||
key should be a comma delimited list.
|
||||
|
||||
## Examples
|
||||
@ -255,7 +255,7 @@ kind: Pod
|
||||
metadata:
|
||||
name: trustworthy-pod
|
||||
annotations:
|
||||
security.alpha.kubernetes.io/seccomp/pod: unconfined
|
||||
seccomp.security.alpha.kubernetes.io/pod: unconfined
|
||||
spec:
|
||||
containers:
|
||||
- name: trustworthy-container
|
||||
@ -273,7 +273,7 @@ kind: Pod
|
||||
metadata:
|
||||
name: explorer
|
||||
annotations:
|
||||
security.alpha.kubernetes.io/seccomp/container/explorer: localhost/example-explorer-profile
|
||||
container.seccomp.security.alpha.kubernetes.io/explorer: localhost/example-explorer-profile
|
||||
spec:
|
||||
containers:
|
||||
- name: explorer
|
||||
|
@ -993,10 +993,10 @@ func (dm *DockerManager) getSecurityOpt(pod *api.Pod, ctrName string) ([]string,
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
profile, profileOK := pod.ObjectMeta.Annotations["security.alpha.kubernetes.io/seccomp/container/"+ctrName]
|
||||
profile, profileOK := pod.ObjectMeta.Annotations["container.seccomp.security.alpha.kubernetes.io/"+ctrName]
|
||||
if !profileOK {
|
||||
// try the pod profile
|
||||
profile, profileOK = pod.ObjectMeta.Annotations["security.alpha.kubernetes.io/seccomp/pod"]
|
||||
profile, profileOK = pod.ObjectMeta.Annotations["seccomp.security.alpha.kubernetes.io/pod"]
|
||||
if !profileOK {
|
||||
// return early the default
|
||||
return defaultSecurityOpt, nil
|
||||
@ -1013,7 +1013,7 @@ func (dm *DockerManager) getSecurityOpt(pod *api.Pod, ctrName string) ([]string,
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
if !strings.HasPrefix(profile, "localhost") {
|
||||
if !strings.HasPrefix(profile, "localhost/") {
|
||||
return nil, fmt.Errorf("unknown seccomp profile option: %s", profile)
|
||||
}
|
||||
|
||||
|
@ -1762,7 +1762,7 @@ func TestUnconfinedSeccompProfileWithDockerV110(t *testing.T) {
|
||||
Name: "foo4",
|
||||
Namespace: "new",
|
||||
Annotations: map[string]string{
|
||||
"security.alpha.kubernetes.io/seccomp/pod": "unconfined",
|
||||
"seccomp.security.alpha.kubernetes.io/pod": "unconfined",
|
||||
},
|
||||
},
|
||||
Spec: api.PodSpec{
|
||||
@ -1804,7 +1804,7 @@ func TestDefaultSeccompProfileWithDockerV110(t *testing.T) {
|
||||
Name: "foo1",
|
||||
Namespace: "new",
|
||||
Annotations: map[string]string{
|
||||
"security.alpha.kubernetes.io/seccomp/pod": "docker/default",
|
||||
"seccomp.security.alpha.kubernetes.io/pod": "docker/default",
|
||||
},
|
||||
},
|
||||
Spec: api.PodSpec{
|
||||
@ -1846,8 +1846,8 @@ func TestSeccompContainerAnnotationTrumpsPod(t *testing.T) {
|
||||
Name: "foo2",
|
||||
Namespace: "new",
|
||||
Annotations: map[string]string{
|
||||
"security.alpha.kubernetes.io/seccomp/pod": "unconfined",
|
||||
"security.alpha.kubernetes.io/seccomp/container/bar2": "docker/default",
|
||||
"seccomp.security.alpha.kubernetes.io/pod": "unconfined",
|
||||
"container.seccomp.security.alpha.kubernetes.io/bar2": "docker/default",
|
||||
},
|
||||
},
|
||||
Spec: api.PodSpec{
|
||||
|
@ -37,8 +37,9 @@ func scTestPod(hostIPC bool, hostPID bool) *api.Pod {
|
||||
podName := "security-context-" + string(util.NewUUID())
|
||||
pod := &api.Pod{
|
||||
ObjectMeta: api.ObjectMeta{
|
||||
Name: podName,
|
||||
Labels: map[string]string{"name": podName},
|
||||
Name: podName,
|
||||
Labels: map[string]string{"name": podName},
|
||||
Annotations: map[string]string{},
|
||||
},
|
||||
Spec: api.PodSpec{
|
||||
SecurityContext: &api.PodSecurityContext{
|
||||
@ -106,6 +107,37 @@ var _ = framework.KubeDescribe("Security Context [Feature:SecurityContext]", fun
|
||||
testPodSELinuxLabeling(f, false, true)
|
||||
})
|
||||
|
||||
It("should support seccomp alpha unconfined annotation on the container [Feature:Seccomp]", func() {
|
||||
// TODO: port to SecurityContext as soon as seccomp is out of alpha
|
||||
pod := scTestPod(false, false)
|
||||
pod.Annotations["container.seccomp.security.alpha.kubernetes.io/test-container"] = "unconfined"
|
||||
pod.Annotations["seccomp.security.alpha.kubernetes.io/pod"] = "docker/default"
|
||||
pod.Spec.Containers[0].Command = []string{"grep", "ecc", "/proc/self/status"}
|
||||
f.TestContainerOutput("pod.Spec.SecurityContext.Seccomp", pod, 0, []string{"0"}) // seccomp disabled
|
||||
})
|
||||
|
||||
It("should support seccomp alpha unconfined annotation on the pod [Feature:Seccomp]", func() {
|
||||
// TODO: port to SecurityContext as soon as seccomp is out of alpha
|
||||
pod := scTestPod(false, false)
|
||||
pod.Annotations["seccomp.security.alpha.kubernetes.io/pod"] = "unconfined"
|
||||
pod.Spec.Containers[0].Command = []string{"grep", "ecc", "/proc/self/status"}
|
||||
f.TestContainerOutput("pod.Spec.SecurityContext.Seccomp", pod, 0, []string{"0"}) // seccomp disabled
|
||||
})
|
||||
|
||||
It("should support seccomp alpha docker/default annotation [Feature:Seccomp]", func() {
|
||||
// TODO: port to SecurityContext as soon as seccomp is out of alpha
|
||||
pod := scTestPod(false, false)
|
||||
pod.Annotations["container.seccomp.security.alpha.kubernetes.io/test-container"] = "docker/default"
|
||||
pod.Spec.Containers[0].Command = []string{"grep", "ecc", "/proc/self/status"}
|
||||
f.TestContainerOutput("pod.Spec.SecurityContext.Seccomp", pod, 0, []string{"2"}) // seccomp filtered
|
||||
})
|
||||
|
||||
It("should support seccomp default which is unconfined [Feature:Seccomp]", func() {
|
||||
// TODO: port to SecurityContext as soon as seccomp is out of alpha
|
||||
pod := scTestPod(false, false)
|
||||
pod.Spec.Containers[0].Command = []string{"grep", "ecc", "/proc/self/status"}
|
||||
f.TestContainerOutput("pod.Spec.SecurityContext.Seccomp", pod, 0, []string{"0"}) // seccomp disabled
|
||||
})
|
||||
})
|
||||
|
||||
func testPodSELinuxLabeling(f *framework.Framework, hostIPC bool, hostPID bool) {
|
||||
|
Loading…
Reference in New Issue
Block a user