Merge pull request #33500 from Random-Liu/apparmor-seccomp-cri

Automatic merge from submit-queue Add seccomp and apparmor support. This PR adds seccomp and apparmor support in new CRI. This a WIP because I'm still adding unit test for some of the functions. Sent this PR here for design discussion. This PR is similar with https://github.com/kubernetes/kubernetes/pull/33450. The differences are: * This PR passes seccomp and apparmor configuration via annotations; * This PR keeps the seccomp handling logic in docker shim because current seccomp implementation is very docker specific, and @timstclair told me that even the json seccomp profile file is defined by docker. Notice that this PR almost passes related annotations in `api.Pod` to the runtime directly instead of introducing new CRI annotation. @yujuhong @feiskyer @timstclair
2026-01-13 11:25:19 +00:00 · 2016-10-03 20:34:13 -07:00
parent 15381a27d8 0771e64ab8
commit a241daf3f2
11 changed files with 196 additions and 26 deletions
--- a/pkg/kubelet/kubelet.go
+++ b/pkg/kubelet/kubelet.go
@@ -507,7 +507,7 @@ func NewMainKubelet(kubeCfg *componentconfig.KubeletConfiguration, kubeDeps *Kub
 		case "cri":
 			// Use the new CRI shim for docker. This is need for testing the
 			// docker integration through CRI, and may be removed in the future.
-			dockerService := dockershim.NewDockerService(klet.dockerClient)
+			dockerService := dockershim.NewDockerService(klet.dockerClient, kubeCfg.SeccompProfileRoot)
 			klet.containerRuntime, err = kuberuntime.NewKubeGenericRuntimeManager(
 				kubecontainer.FilterEventRecorder(kubeDeps.Recorder),
 				klet.livenessManager,