From 227f7d761da950f385d17889c112a48fc246c31d Mon Sep 17 00:00:00 2001
From: Zhen Wang <zhenw@google.com>
Date: Thu, 24 May 2018 10:31:28 -0700
Subject: [PATCH] Use default seccomp profile for GCE manifests

---
 cluster/gce/manifests/cluster-autoscaler.manifest      | 3 +++
 cluster/gce/manifests/etcd-empty-dir-cleanup.yaml      | 1 +
 cluster/gce/manifests/etcd.manifest                    | 5 +++--
 cluster/gce/manifests/glbc.manifest                    | 1 +
 cluster/gce/manifests/kube-addon-manager.yaml          | 1 +
 cluster/gce/manifests/kube-apiserver.manifest          | 3 ++-
 cluster/gce/manifests/kube-controller-manager.manifest | 3 ++-
 cluster/gce/manifests/kube-scheduler.manifest          | 3 ++-
 8 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/cluster/gce/manifests/cluster-autoscaler.manifest b/cluster/gce/manifests/cluster-autoscaler.manifest
index fc1b406ea6f..babfd0815e2 100644
--- a/cluster/gce/manifests/cluster-autoscaler.manifest
+++ b/cluster/gce/manifests/cluster-autoscaler.manifest
@@ -7,6 +7,9 @@
         "labels": {
             "tier": "cluster-management",
             "component": "cluster-autoscaler"
+        },
+        "annotations": {
+            "seccomp.security.alpha.kubernetes.io/pod": "docker/default"
         }
     },
     "spec": {
diff --git a/cluster/gce/manifests/etcd-empty-dir-cleanup.yaml b/cluster/gce/manifests/etcd-empty-dir-cleanup.yaml
index 7e1971634ff..9b92d6f40bf 100644
--- a/cluster/gce/manifests/etcd-empty-dir-cleanup.yaml
+++ b/cluster/gce/manifests/etcd-empty-dir-cleanup.yaml
@@ -5,6 +5,7 @@ metadata:
   namespace: kube-system
   annotations:
     scheduler.alpha.kubernetes.io/critical-pod: ''
+    seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
   labels:
     k8s-app: etcd-empty-dir-cleanup
 spec:
diff --git a/cluster/gce/manifests/etcd.manifest b/cluster/gce/manifests/etcd.manifest
index f6f56abcd40..7413603f74a 100644
--- a/cluster/gce/manifests/etcd.manifest
+++ b/cluster/gce/manifests/etcd.manifest
@@ -5,7 +5,8 @@
   "name":"etcd-server{{ suffix }}",
   "namespace": "kube-system",
   "annotations": {
-    "scheduler.alpha.kubernetes.io/critical-pod": ""
+    "scheduler.alpha.kubernetes.io/critical-pod": "",
+    "seccomp.security.alpha.kubernetes.io/pod": "docker/default"
   }
 },
 "spec":{
@@ -62,7 +63,7 @@
     "ports": [
       { "name": "serverport",
         "containerPort": {{ server_port }},
-        "hostPort": {{ server_port }} 
+        "hostPort": {{ server_port }}
       },
       { "name": "clientport",
         "containerPort": {{ port }},
diff --git a/cluster/gce/manifests/glbc.manifest b/cluster/gce/manifests/glbc.manifest
index 2c80aa0caad..4401ab0d193 100644
--- a/cluster/gce/manifests/glbc.manifest
+++ b/cluster/gce/manifests/glbc.manifest
@@ -5,6 +5,7 @@ metadata:
   namespace: kube-system
   annotations:
     scheduler.alpha.kubernetes.io/critical-pod: ''
+    seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
   labels:
     k8s-app: gcp-lb-controller
     version: v1.1.1
diff --git a/cluster/gce/manifests/kube-addon-manager.yaml b/cluster/gce/manifests/kube-addon-manager.yaml
index c77e914e674..48a3b151939 100644
--- a/cluster/gce/manifests/kube-addon-manager.yaml
+++ b/cluster/gce/manifests/kube-addon-manager.yaml
@@ -5,6 +5,7 @@ metadata:
   namespace: kube-system
   annotations:
     scheduler.alpha.kubernetes.io/critical-pod: ''
+    seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
   labels:
     component: kube-addon-manager
 spec:
diff --git a/cluster/gce/manifests/kube-apiserver.manifest b/cluster/gce/manifests/kube-apiserver.manifest
index d13dbed70ee..6b9f6bb58a3 100644
--- a/cluster/gce/manifests/kube-apiserver.manifest
+++ b/cluster/gce/manifests/kube-apiserver.manifest
@@ -5,7 +5,8 @@
   "name":"kube-apiserver",
   "namespace": "kube-system",
   "annotations": {
-    "scheduler.alpha.kubernetes.io/critical-pod": ""
+    "scheduler.alpha.kubernetes.io/critical-pod": "",
+    "seccomp.security.alpha.kubernetes.io/pod": "docker/default"
   },
   "labels": {
     "tier": "control-plane",
diff --git a/cluster/gce/manifests/kube-controller-manager.manifest b/cluster/gce/manifests/kube-controller-manager.manifest
index 353958642e9..1bd5d2d4a7e 100644
--- a/cluster/gce/manifests/kube-controller-manager.manifest
+++ b/cluster/gce/manifests/kube-controller-manager.manifest
@@ -5,7 +5,8 @@
   "name":"kube-controller-manager",
   "namespace": "kube-system",
   "annotations": {
-    "scheduler.alpha.kubernetes.io/critical-pod": ""
+    "scheduler.alpha.kubernetes.io/critical-pod": "",
+    "seccomp.security.alpha.kubernetes.io/pod": "docker/default"
   },
   "labels": {
     "tier": "control-plane",
diff --git a/cluster/gce/manifests/kube-scheduler.manifest b/cluster/gce/manifests/kube-scheduler.manifest
index a7d496fddd6..af71c049f20 100644
--- a/cluster/gce/manifests/kube-scheduler.manifest
+++ b/cluster/gce/manifests/kube-scheduler.manifest
@@ -5,7 +5,8 @@
   "name":"kube-scheduler",
   "namespace": "kube-system",
   "annotations": {
-    "scheduler.alpha.kubernetes.io/critical-pod": ""
+    "scheduler.alpha.kubernetes.io/critical-pod": "",
+    "seccomp.security.alpha.kubernetes.io/pod": "docker/default"
   },
   "labels": {
     "tier": "control-plane",