Merge pull request #93095 from pjbgf/migrate-seccomp-usage-to-ga

Update yaml files to use seccomp GA syntax
2025-07-21 10:51:29 +00:00 · 2020-08-28 12:35:49 -07:00 · 2020-08-28 12:35:49 -07:00 · b440ecc315
commit b440ecc315
parent b02b84870c 8f8f1bad72
21 changed files with 68 additions and 49 deletions
--- a/cluster/addons/cluster-loadbalancing/glbc/default-svc-controller.yaml
+++ b/cluster/addons/cluster-loadbalancing/glbc/default-svc-controller.yaml
@ -17,9 +17,10 @@ spec:
      labels:
        k8s-app: glbc
        name: glbc
-      annotations:
-        seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
    spec:
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
      containers:
      - name: default-http-backend
        # Any image is permissible as long as:
--- a/cluster/addons/dashboard/dashboard.yaml
+++ b/cluster/addons/dashboard/dashboard.yaml
@ -261,9 +261,10 @@ spec:
    metadata:
      labels:
        k8s-app: dashboard-metrics-scraper
-      annotations:
-        seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
    spec:
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
      containers:
        - name: dashboard-metrics-scraper
          image: kubernetesui/metrics-scraper:v1.0.4
--- a/cluster/addons/dns-horizontal-autoscaler/dns-horizontal-autoscaler.yaml
+++ b/cluster/addons/dns-horizontal-autoscaler/dns-horizontal-autoscaler.yaml
@ -75,11 +75,11 @@ spec:
    metadata:
      labels:
        k8s-app: kube-dns-autoscaler
-      annotations:
-        seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
    spec:
      priorityClassName: system-cluster-critical
      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
        supplementalGroups: [ 65534 ]
        fsGroup: 65534
      nodeSelector:
--- a/cluster/addons/dns/coredns/coredns.yaml.base
+++ b/cluster/addons/dns/coredns/coredns.yaml.base
@ -108,9 +108,10 @@ spec:
    metadata:
      labels:
        k8s-app: kube-dns
-      annotations:
-        seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
    spec:
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
      priorityClassName: system-cluster-critical
      serviceAccountName: coredns
      affinity:
--- a/cluster/addons/dns/coredns/coredns.yaml.in
+++ b/cluster/addons/dns/coredns/coredns.yaml.in
@ -108,9 +108,10 @@ spec:
    metadata:
      labels:
        k8s-app: kube-dns
-      annotations:
-        seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
    spec:
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
      priorityClassName: system-cluster-critical
      serviceAccountName: coredns
      affinity:
--- a/cluster/addons/dns/coredns/coredns.yaml.sed
+++ b/cluster/addons/dns/coredns/coredns.yaml.sed
@ -108,9 +108,10 @@ spec:
    metadata:
      labels:
        k8s-app: kube-dns
-      annotations:
-        seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
    spec:
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
      priorityClassName: system-cluster-critical
      serviceAccountName: coredns
      affinity:
--- a/cluster/addons/dns/kube-dns/kube-dns.yaml.base
+++ b/cluster/addons/dns/kube-dns/kube-dns.yaml.base
@ -82,12 +82,13 @@ spec:
      labels:
        k8s-app: kube-dns
      annotations:
-        seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
        prometheus.io/port: "10054"
        prometheus.io/scrape: "true"
    spec:
      priorityClassName: system-cluster-critical
      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
        supplementalGroups: [ 65534 ]
        fsGroup: 65534
      affinity:
--- a/cluster/addons/dns/kube-dns/kube-dns.yaml.in
+++ b/cluster/addons/dns/kube-dns/kube-dns.yaml.in
@ -82,12 +82,13 @@ spec:
      labels:
        k8s-app: kube-dns
      annotations:
-        seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
        prometheus.io/port: "10054"
        prometheus.io/scrape: "true"
    spec:
      priorityClassName: system-cluster-critical
      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
        supplementalGroups: [ 65534 ]
        fsGroup: 65534
      affinity:
--- a/cluster/addons/dns/kube-dns/kube-dns.yaml.sed
+++ b/cluster/addons/dns/kube-dns/kube-dns.yaml.sed
@ -82,12 +82,13 @@ spec:
      labels:
        k8s-app: kube-dns
      annotations:
-        seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
        prometheus.io/port: "10054"
        prometheus.io/scrape: "true"
    spec:
      priorityClassName: system-cluster-critical
      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
        supplementalGroups: [ 65534 ]
        fsGroup: 65534
      affinity:
--- a/cluster/addons/fluentd-elasticsearch/fluentd-es-ds.yaml
+++ b/cluster/addons/fluentd-elasticsearch/fluentd-es-ds.yaml
@ -61,12 +61,10 @@ spec:
      labels:
        k8s-app: fluentd-es
        version: v3.0.2
-      # This annotation ensures that fluentd does not get evicted if the node
-      # supports critical pod annotation based priority scheme.
-      # Note that this does not guarantee admission on the nodes (#40573).
-      annotations:
-        seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
    spec:
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
      priorityClassName: system-node-critical
      serviceAccountName: fluentd-es
      containers:
--- a/cluster/addons/fluentd-elasticsearch/kibana-deployment.yaml
+++ b/cluster/addons/fluentd-elasticsearch/kibana-deployment.yaml
@ -15,9 +15,10 @@ spec:
    metadata:
      labels:
        k8s-app: kibana-logging
-      annotations:
-        seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
    spec:
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
      containers:
      - name: kibana-logging
        image: docker.elastic.co/kibana/kibana-oss:7.2.0
--- a/cluster/addons/metadata-agent/stackdriver/metadata-agent.yaml
+++ b/cluster/addons/metadata-agent/stackdriver/metadata-agent.yaml
@ -24,9 +24,10 @@ spec:
    metadata:
      labels:
        app: metadata-agent
-      annotations:
-        seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
    spec:
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
      serviceAccountName: metadata-agent
      priorityClassName: system-node-critical
      nodeSelector:
@ -88,9 +89,10 @@ spec:
    metadata:
      labels:
        app: metadata-agent-cluster-level
-      annotations:
-        seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
    spec:
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
      serviceAccountName: metadata-agent
      priorityClassName: system-cluster-critical
      nodeSelector:
--- a/cluster/addons/metrics-server/metrics-server-deployment.yaml
+++ b/cluster/addons/metrics-server/metrics-server-deployment.yaml
@ -41,9 +41,10 @@ spec:
      labels:
        k8s-app: metrics-server
        version: v0.3.6
-      annotations:
-        seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
    spec:
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
      priorityClassName: system-cluster-critical
      serviceAccountName: metrics-server
      nodeSelector:
--- a/cluster/gce/manifests/cluster-autoscaler.manifest
+++ b/cluster/gce/manifests/cluster-autoscaler.manifest
@ -7,12 +7,14 @@
        "labels": {
            "tier": "cluster-management",
            "component": "cluster-autoscaler"
-        },
-        "annotations": {
-            "seccomp.security.alpha.kubernetes.io/pod": "docker/default"
        }
    },
    "spec": {
+        "securityContext": {
+            "seccompProfile": {
+                "type": "RuntimeDefault"
+            }
+        },
        "hostNetwork": true,
        "containers": [
            {
--- a/cluster/gce/manifests/etcd.manifest
+++ b/cluster/gce/manifests/etcd.manifest
@ -3,12 +3,14 @@
 "kind": "Pod",
 "metadata": {
  "name":"etcd-server{{ suffix }}",
-  "namespace": "kube-system",
-  "annotations": {
-    "seccomp.security.alpha.kubernetes.io/pod": "docker/default"
-  }
+  "namespace": "kube-system"
 },
 "spec":{
+"securityContext": {
+    "seccompProfile": {
+        "type": "RuntimeDefault"
+    }
+},
 "priorityClassName": "system-node-critical",
 "priority": 2000001000,
 "hostNetwork": true,
--- a/cluster/gce/manifests/glbc.manifest
+++ b/cluster/gce/manifests/glbc.manifest
@ -5,11 +5,13 @@ metadata:
  namespace: kube-system
  annotations:
    scheduler.alpha.kubernetes.io/critical-pod: ''
-    seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
  labels:
    k8s-app: gcp-lb-controller
    kubernetes.io/name: "GLBC"
 spec:
+  securityContext:
+    seccompProfile:
+      type: RuntimeDefault
  priorityClassName: system-node-critical
  priority: 2000001000
  terminationGracePeriodSeconds: 600
--- a/cluster/gce/manifests/konnectivity-server.yaml
+++ b/cluster/gce/manifests/konnectivity-server.yaml
@ -3,10 +3,11 @@ kind: Pod
 metadata:
  name: konnectivity-server
  namespace: kube-system
-  annotations:
-    seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
  component: konnectivity-server
 spec:
+  securityContext:
+    seccompProfile:
+      type: RuntimeDefault
  priorityClassName: system-node-critical
  priority: 2000001000
  hostNetwork: true
--- a/cluster/gce/manifests/kube-addon-manager.yaml
+++ b/cluster/gce/manifests/kube-addon-manager.yaml
@ -3,12 +3,12 @@ kind: Pod
 metadata:
  name: kube-addon-manager
  namespace: kube-system
-  annotations:
-    seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
  labels:
    component: kube-addon-manager
 spec:
  securityContext:
+    seccompProfile:
+      type: RuntimeDefault
    runAsUser: {{runAsUser}}
    runAsGroup: {{runAsGroup}}
  priorityClassName: system-node-critical
--- a/cluster/gce/manifests/kube-apiserver.manifest
+++ b/cluster/gce/manifests/kube-apiserver.manifest
@ -4,15 +4,17 @@
 "metadata": {
  "name":"kube-apiserver",
  "namespace": "kube-system",
-  "annotations": {
-    "seccomp.security.alpha.kubernetes.io/pod": "docker/default"
-  },
  "labels": {
    "tier": "control-plane",
    "component": "kube-apiserver"
  }
 },
 "spec":{
+"securityContext": {
+    "seccompProfile": {
+        "type": "RuntimeDefault"
+    }
+},
 "priorityClassName": "system-node-critical",
 "priority": 2000001000,
 "hostNetwork": true,
--- a/cluster/gce/manifests/kube-controller-manager.manifest
+++ b/cluster/gce/manifests/kube-controller-manager.manifest
@ -4,9 +4,6 @@
 "metadata": {
  "name":"kube-controller-manager",
  "namespace": "kube-system",
-  "annotations": {
-    "seccomp.security.alpha.kubernetes.io/pod": "docker/default"
-  },
  "labels": {
    "tier": "control-plane",
    "component": "kube-controller-manager"
@ -14,6 +11,9 @@
 },
 "spec":{
 "securityContext": {
+  "seccompProfile": {
+      "type": "RuntimeDefault"
+  },
  "runAsUser": {{runAsUser}},
  "runAsGroup": {{runAsGroup}}
 },
--- a/cluster/gce/manifests/kube-scheduler.manifest
+++ b/cluster/gce/manifests/kube-scheduler.manifest
@ -4,9 +4,6 @@
 "metadata": {
  "name":"kube-scheduler",
  "namespace": "kube-system",
-  "annotations": {
-    "seccomp.security.alpha.kubernetes.io/pod": "docker/default"
-  },
  "labels": {
    "tier": "control-plane",
    "component": "kube-scheduler"
@ -14,6 +11,9 @@
 },
 "spec":{
 "securityContext": {
+  "seccompProfile": {
+      "type": "RuntimeDefault"
+  },
  "runAsUser": {{runAsUser}},
  "runAsGroup": {{runAsGroup}}
 },