github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-04 09:49:50 +00:00
Code Issues Projects Releases Wiki Activity

seccomp is an alpha feature and not feature gated

Browse Source 
Move SeccompProfileRoot to KubeletFlags and document flag as alpha
This commit is contained in:
Michael Taufen 2017-11-17 17:43:00 -08:00
parent 3ec7487c0f
commit ca8cffef24
9 changed files with 16 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
cmd/kubelet/app/options/options.go
View File

@ -20,6 +20,7 @@ package options
import ( import (
"fmt" "fmt"
_ "net/http/pprof" _ "net/http/pprof"
"path/filepath"
"runtime" "runtime"
"strings" "strings"
@ -154,6 +155,8 @@ type KubeletFlags struct {
// This will cause the kubelet to listen to inotify events on the lock file, // This will cause the kubelet to listen to inotify events on the lock file,
// releasing it and exiting when another process tries to open that file. // releasing it and exiting when another process tries to open that file.
ExitOnLockContention bool ExitOnLockContention bool
// seccompProfileRoot is the directory path for seccomp profiles.
SeccompProfileRoot string
// DEPRECATED FLAGS // DEPRECATED FLAGS
// minimumGCAge is the minimum age for a finished container before it is // minimumGCAge is the minimum age for a finished container before it is
@ -214,6 +217,7 @@ func NewKubeletFlags() *KubeletFlags {
NodeLabels: make(map[string]string), NodeLabels: make(map[string]string),
VolumePluginDir: "/usr/libexec/kubernetes/kubelet-plugins/volume/exec/", VolumePluginDir: "/usr/libexec/kubernetes/kubelet-plugins/volume/exec/",
RegisterNode: true, RegisterNode: true,
SeccompProfileRoot: filepath.Join(v1alpha1.DefaultRootDir, "seccomp"),
} }
} }
@ -338,6 +342,7 @@ func (f *KubeletFlags) AddFlags(fs *pflag.FlagSet) {
fs.StringVar(&f.VolumePluginDir, "volume-plugin-dir", f.VolumePluginDir, "<Warning: Alpha feature> The full path of the directory in which to search for additional third party volume plugins") fs.StringVar(&f.VolumePluginDir, "volume-plugin-dir", f.VolumePluginDir, "<Warning: Alpha feature> The full path of the directory in which to search for additional third party volume plugins")
fs.StringVar(&f.LockFilePath, "lock-file", f.LockFilePath, "<Warning: Alpha feature> The path to file for kubelet to use as a lock file.") fs.StringVar(&f.LockFilePath, "lock-file", f.LockFilePath, "<Warning: Alpha feature> The path to file for kubelet to use as a lock file.")
fs.BoolVar(&f.ExitOnLockContention, "exit-on-lock-contention", f.ExitOnLockContention, "Whether kubelet should exit upon lock-file contention.") fs.BoolVar(&f.ExitOnLockContention, "exit-on-lock-contention", f.ExitOnLockContention, "Whether kubelet should exit upon lock-file contention.")
fs.StringVar(&f.SeccompProfileRoot, "seccomp-profile-root", f.SeccompProfileRoot, "<Warning: Alpha feature> Directory path for seccomp profiles.")
// DEPRECATED FLAGS // DEPRECATED FLAGS
fs.DurationVar(&f.MinimumGCAge.Duration, "minimum-container-ttl-duration", f.MinimumGCAge.Duration, "Minimum age for a finished container before it is garbage collected. Examples: '300ms', '10s' or '2h45m'") fs.DurationVar(&f.MinimumGCAge.Duration, "minimum-container-ttl-duration", f.MinimumGCAge.Duration, "Minimum age for a finished container before it is garbage collected. Examples: '300ms', '10s' or '2h45m'")
@ -405,7 +410,6 @@ func AddKubeletConfigFlags(fs *pflag.FlagSet, c *kubeletconfig.KubeletConfigurat
"are generated for the public address and saved to the directory passed to --cert-dir.") "are generated for the public address and saved to the directory passed to --cert-dir.")
fs.StringVar(&c.TLSPrivateKeyFile, "tls-private-key-file", c.TLSPrivateKeyFile, "File containing x509 private key matching --tls-cert-file.") fs.StringVar(&c.TLSPrivateKeyFile, "tls-private-key-file", c.TLSPrivateKeyFile, "File containing x509 private key matching --tls-cert-file.")
fs.StringVar(&c.SeccompProfileRoot, "seccomp-profile-root", c.SeccompProfileRoot, "Directory path for seccomp profiles.")
fs.BoolVar(&c.AllowPrivileged, "allow-privileged", c.AllowPrivileged, "If true, allow containers to request privileged mode.") fs.BoolVar(&c.AllowPrivileged, "allow-privileged", c.AllowPrivileged, "If true, allow containers to request privileged mode.")
fs.StringSliceVar(&c.HostNetworkSources, "host-network-sources", c.HostNetworkSources, "Comma-separated list of sources from which the Kubelet allows pods to use of host network.") fs.StringSliceVar(&c.HostNetworkSources, "host-network-sources", c.HostNetworkSources, "Comma-separated list of sources from which the Kubelet allows pods to use of host network.")
fs.StringSliceVar(&c.HostPIDSources, "host-pid-sources", c.HostPIDSources, "Comma-separated list of sources from which the Kubelet allows pods to use the host pid namespace.") fs.StringSliceVar(&c.HostPIDSources, "host-pid-sources", c.HostPIDSources, "Comma-separated list of sources from which the Kubelet allows pods to use the host pid namespace.")

9
cmd/kubelet/app/server.go
View File

@ -728,7 +728,8 @@ func RunKubelet(kubeFlags *options.KubeletFlags, kubeCfg *kubeletconfiginternal.
kubeFlags.RegisterSchedulable, kubeFlags.RegisterSchedulable,
kubeFlags.NonMasqueradeCIDR, kubeFlags.NonMasqueradeCIDR,
kubeFlags.KeepTerminatedPodVolumes, kubeFlags.KeepTerminatedPodVolumes,
kubeFlags.NodeLabels) kubeFlags.NodeLabels,
kubeFlags.SeccompProfileRoot)
if err != nil { if err != nil {
return fmt.Errorf("failed to create kubelet: %v", err) return fmt.Errorf("failed to create kubelet: %v", err)
} }
@ -800,7 +801,8 @@ func CreateAndInitKubelet(kubeCfg *kubeletconfiginternal.KubeletConfiguration,
registerSchedulable bool, registerSchedulable bool,
nonMasqueradeCIDR string, nonMasqueradeCIDR string,
keepTerminatedPodVolumes bool, keepTerminatedPodVolumes bool,
nodeLabels map[string]string) (k kubelet.Bootstrap, err error) { nodeLabels map[string]string,
seccompProfileRoot string) (k kubelet.Bootstrap, err error) {
// TODO: block until all sources have delivered at least one update to the channel, or break the sync loop // TODO: block until all sources have delivered at least one update to the channel, or break the sync loop
// up into "per source" synchronizations // up into "per source" synchronizations
@ -832,7 +834,8 @@ func CreateAndInitKubelet(kubeCfg *kubeletconfiginternal.KubeletConfiguration,
registerSchedulable, registerSchedulable,
nonMasqueradeCIDR, nonMasqueradeCIDR,
keepTerminatedPodVolumes, keepTerminatedPodVolumes,
nodeLabels) nodeLabels,
seccompProfileRoot)
if err != nil { if err != nil {
return nil, err return nil, err
} }

1
pkg/kubelet/apis/kubeletconfig/helpers.go
View File

@ -25,7 +25,6 @@ func KubeletConfigurationPathRefs(kc *KubeletConfiguration) []*string {
paths = append(paths, &kc.Authentication.X509.ClientCAFile) paths = append(paths, &kc.Authentication.X509.ClientCAFile)
paths = append(paths, &kc.TLSCertFile) paths = append(paths, &kc.TLSCertFile)
paths = append(paths, &kc.TLSPrivateKeyFile) paths = append(paths, &kc.TLSPrivateKeyFile)
paths = append(paths, &kc.SeccompProfileRoot)
paths = append(paths, &kc.ResolverConfig) paths = append(paths, &kc.ResolverConfig)
return paths return paths
} }

1
pkg/kubelet/apis/kubeletconfig/helpers_test.go
View File

@ -132,7 +132,6 @@ var (
"Authentication.X509.ClientCAFile", "Authentication.X509.ClientCAFile",
"TLSCertFile", "TLSCertFile",
"TLSPrivateKeyFile", "TLSPrivateKeyFile",
"SeccompProfileRoot",
"ResolverConfig", "ResolverConfig",
) )

2
pkg/kubelet/apis/kubeletconfig/types.go
View File

@ -89,8 +89,6 @@ type KubeletConfiguration struct {
Authentication KubeletAuthentication Authentication KubeletAuthentication
// authorization specifies how requests to the Kubelet's server are authorized // authorization specifies how requests to the Kubelet's server are authorized
Authorization KubeletAuthorization Authorization KubeletAuthorization
// seccompProfileRoot is the directory path for seccomp profiles.
SeccompProfileRoot string
// allowPrivileged enables containers to request privileged mode. // allowPrivileged enables containers to request privileged mode.
// Defaults to false. // Defaults to false.
AllowPrivileged bool AllowPrivileged bool

4
pkg/kubelet/apis/kubeletconfig/v1alpha1/defaults.go
View File

@ -17,7 +17,6 @@ limitations under the License.
package v1alpha1 package v1alpha1
import ( import (
"path/filepath"
"time" "time"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@ -177,9 +176,6 @@ func SetDefaults_KubeletConfiguration(obj *KubeletConfiguration) {
if obj.SerializeImagePulls == nil { if obj.SerializeImagePulls == nil {
obj.SerializeImagePulls = boolVar(true) obj.SerializeImagePulls = boolVar(true)
} }
if obj.SeccompProfileRoot == "" {
obj.SeccompProfileRoot = filepath.Join(DefaultRootDir, "seccomp")
}
if obj.StreamingConnectionIdleTimeout == zeroDuration { if obj.StreamingConnectionIdleTimeout == zeroDuration {
obj.StreamingConnectionIdleTimeout = metav1.Duration{Duration: 4 * time.Hour} obj.StreamingConnectionIdleTimeout = metav1.Duration{Duration: 4 * time.Hour}
} }

2
pkg/kubelet/apis/kubeletconfig/v1alpha1/types.go
View File

@ -89,8 +89,6 @@ type KubeletConfiguration struct {
Authentication KubeletAuthentication `json:"authentication"` Authentication KubeletAuthentication `json:"authentication"`
// authorization specifies how requests to the Kubelet's server are authorized // authorization specifies how requests to the Kubelet's server are authorized
Authorization KubeletAuthorization `json:"authorization"` Authorization KubeletAuthorization `json:"authorization"`
// seccompProfileRoot is the directory path for seccomp profiles.
SeccompProfileRoot string `json:"seccompProfileRoot"`
// allowPrivileged enables containers to request privileged mode. // allowPrivileged enables containers to request privileged mode.
// Defaults to false. // Defaults to false.
AllowPrivileged *bool `json:"allowPrivileged"` AllowPrivileged *bool `json:"allowPrivileged"`

2
pkg/kubelet/apis/kubeletconfig/v1alpha1/zz_generated.conversion.go generated
View File

@ -163,7 +163,6 @@ func autoConvert_v1alpha1_KubeletConfiguration_To_kubeletconfig_KubeletConfigura
if err := Convert_v1alpha1_KubeletAuthorization_To_kubeletconfig_KubeletAuthorization(&in.Authorization, &out.Authorization, s); err != nil { if err := Convert_v1alpha1_KubeletAuthorization_To_kubeletconfig_KubeletAuthorization(&in.Authorization, &out.Authorization, s); err != nil {
return err return err
} }
out.SeccompProfileRoot = in.SeccompProfileRoot
if err := v1.Convert_Pointer_bool_To_bool(&in.AllowPrivileged, &out.AllowPrivileged, s); err != nil { if err := v1.Convert_Pointer_bool_To_bool(&in.AllowPrivileged, &out.AllowPrivileged, s); err != nil {
return err return err
} }
@ -289,7 +288,6 @@ func autoConvert_kubeletconfig_KubeletConfiguration_To_v1alpha1_KubeletConfigura
if err := Convert_kubeletconfig_KubeletAuthorization_To_v1alpha1_KubeletAuthorization(&in.Authorization, &out.Authorization, s); err != nil { if err := Convert_kubeletconfig_KubeletAuthorization_To_v1alpha1_KubeletAuthorization(&in.Authorization, &out.Authorization, s); err != nil {
return err return err
} }
out.SeccompProfileRoot = in.SeccompProfileRoot
if err := v1.Convert_bool_To_Pointer_bool(&in.AllowPrivileged, &out.AllowPrivileged, s); err != nil { if err := v1.Convert_bool_To_Pointer_bool(&in.AllowPrivileged, &out.AllowPrivileged, s); err != nil {
return err return err
} }

8
pkg/kubelet/kubelet.go
View File

@ -218,7 +218,8 @@ type Builder func(kubeCfg *kubeletconfiginternal.KubeletConfiguration,
registerSchedulable bool, registerSchedulable bool,
nonMasqueradeCIDR string, nonMasqueradeCIDR string,
keepTerminatedPodVolumes bool, keepTerminatedPodVolumes bool,
nodeLabels map[string]string) (Bootstrap, error) nodeLabels map[string]string,
seccompProfileRoot string) (Bootstrap, error)
// Dependencies is a bin for things we might consider "injected dependencies" -- objects constructed // Dependencies is a bin for things we might consider "injected dependencies" -- objects constructed
// at runtime that are necessary for running the Kubelet. This is a temporary solution for grouping // at runtime that are necessary for running the Kubelet. This is a temporary solution for grouping
@ -344,7 +345,8 @@ func NewMainKubelet(kubeCfg *kubeletconfiginternal.KubeletConfiguration,
registerSchedulable bool, registerSchedulable bool,
nonMasqueradeCIDR string, nonMasqueradeCIDR string,
keepTerminatedPodVolumes bool, keepTerminatedPodVolumes bool,
nodeLabels map[string]string) (*Kubelet, error) { nodeLabels map[string]string,
seccompProfileRoot string) (*Kubelet, error) {
if rootDirectory == "" { if rootDirectory == "" {
return nil, fmt.Errorf("invalid root directory %q", rootDirectory) return nil, fmt.Errorf("invalid root directory %q", rootDirectory)
} }
@ -658,7 +660,7 @@ func NewMainKubelet(kubeCfg *kubeletconfiginternal.KubeletConfiguration,
runtime, err := kuberuntime.NewKubeGenericRuntimeManager( runtime, err := kuberuntime.NewKubeGenericRuntimeManager(
kubecontainer.FilterEventRecorder(kubeDeps.Recorder), kubecontainer.FilterEventRecorder(kubeDeps.Recorder),
klet.livenessManager, klet.livenessManager,
kubeCfg.SeccompProfileRoot, seccompProfileRoot,
containerRefManager, containerRefManager,
machineInfo, machineInfo,
klet, klet,