diff --git a/cmd/kubelet/app/server.go b/cmd/kubelet/app/server.go index 84f221346cb..ca75d7cd9c6 100644 --- a/cmd/kubelet/app/server.go +++ b/cmd/kubelet/app/server.go @@ -819,7 +819,7 @@ func RunDockershim(c *componentconfig.KubeletConfiguration, r *options.Container SupportedPortForwardProtocols: streaming.DefaultConfig.SupportedPortForwardProtocols, } - ds, err := dockershim.NewDockerService(dockerClient, c.SeccompProfileRoot, r.PodSandboxImage, + ds, err := dockershim.NewDockerService(dockerClient, r.PodSandboxImage, streamingConfig, &pluginSettings, c.RuntimeCgroups, c.CgroupDriver, r.DockerExecHandlerName, r.DockershimRootDirectory, r.DockerDisableSharedPID) if err != nil { diff --git a/pkg/kubelet/kubelet.go b/pkg/kubelet/kubelet.go index 03e43ed1d77..65e33218212 100644 --- a/pkg/kubelet/kubelet.go +++ b/pkg/kubelet/kubelet.go @@ -577,7 +577,7 @@ func NewMainKubelet(kubeCfg *componentconfig.KubeletConfiguration, case kubetypes.DockerContainerRuntime: // Create and start the CRI shim running as a grpc server. streamingConfig := getStreamingConfig(kubeCfg, kubeDeps) - ds, err := dockershim.NewDockerService(kubeDeps.DockerClient, kubeCfg.SeccompProfileRoot, crOptions.PodSandboxImage, + ds, err := dockershim.NewDockerService(kubeDeps.DockerClient, crOptions.PodSandboxImage, streamingConfig, &pluginSettings, kubeCfg.RuntimeCgroups, kubeCfg.CgroupDriver, crOptions.DockerExecHandlerName, crOptions.DockershimRootDirectory, crOptions.DockerDisableSharedPID) if err != nil { @@ -621,6 +621,7 @@ func NewMainKubelet(kubeCfg *componentconfig.KubeletConfiguration, runtime, err := kuberuntime.NewKubeGenericRuntimeManager( kubecontainer.FilterEventRecorder(kubeDeps.Recorder), klet.livenessManager, + kubeCfg.SeccompProfileRoot, containerRefManager, machineInfo, klet.podManager, diff --git a/pkg/kubelet/kuberuntime/helpers.go b/pkg/kubelet/kuberuntime/helpers.go index 8fcbe29a33c..6f1a8a1d237 100644 --- a/pkg/kubelet/kuberuntime/helpers.go +++ b/pkg/kubelet/kuberuntime/helpers.go @@ -20,6 +20,7 @@ import ( "fmt" "path/filepath" "strconv" + "strings" "github.com/golang/glog" "k8s.io/api/core/v1" @@ -255,3 +256,30 @@ func getSysctlsFromAnnotations(annotations map[string]string) (map[string]string return sysctls, nil } + +// getSeccompProfileFromAnnotations gets seccomp profile from annotations. +// It gets pod's profile if containerName is null. +func (m *kubeGenericRuntimeManager) getSeccompProfileFromAnnotations(annotations map[string]string, containerName string) string { + // try the pod profile. + profile, profileOK := annotations[v1.SeccompPodAnnotationKey] + if containerName != "" { + // try the container profile. + cProfile, cProfileOK := annotations[v1.SeccompContainerAnnotationKeyPrefix+containerName] + if cProfileOK { + profile = cProfile + profileOK = cProfileOK + } + } + + if !profileOK { + return "" + } + + if strings.HasPrefix(profile, "localhost/") { + name := strings.TrimPrefix(profile, "localhost/") + fname := filepath.Join(m.seccompProfileRoot, filepath.FromSlash(name)) + return fname + } + + return profile +} diff --git a/pkg/kubelet/kuberuntime/kuberuntime_manager.go b/pkg/kubelet/kuberuntime/kuberuntime_manager.go index 545cb0d252b..ef50d958fbb 100644 --- a/pkg/kubelet/kuberuntime/kuberuntime_manager.go +++ b/pkg/kubelet/kuberuntime/kuberuntime_manager.go @@ -105,6 +105,9 @@ type kubeGenericRuntimeManager struct { // The version cache of runtime daemon. versionCache *cache.ObjectCache + + // The directory path for seccomp profiles. + seccompProfileRoot string } type KubeGenericRuntime interface { @@ -117,6 +120,7 @@ type KubeGenericRuntime interface { func NewKubeGenericRuntimeManager( recorder record.EventRecorder, livenessManager proberesults.Manager, + seccompProfileRoot string, containerRefManager *kubecontainer.RefManager, machineInfo *cadvisorapi.MachineInfo, podGetter podGetter, @@ -134,6 +138,7 @@ func NewKubeGenericRuntimeManager( kubeRuntimeManager := &kubeGenericRuntimeManager{ recorder: recorder, cpuCFSQuota: cpuCFSQuota, + seccompProfileRoot: seccompProfileRoot, livenessManager: livenessManager, containerRefManager: containerRefManager, machineInfo: machineInfo, diff --git a/pkg/kubelet/kuberuntime/kuberuntime_sandbox.go b/pkg/kubelet/kuberuntime/kuberuntime_sandbox.go index 3b2633eac9a..670181b3199 100644 --- a/pkg/kubelet/kuberuntime/kuberuntime_sandbox.go +++ b/pkg/kubelet/kuberuntime/kuberuntime_sandbox.go @@ -135,7 +135,8 @@ func (m *kubeGenericRuntimeManager) generatePodSandboxLinuxConfig(pod *v1.Pod) ( lc := &runtimeapi.LinuxPodSandboxConfig{ CgroupParent: cgroupParent, SecurityContext: &runtimeapi.LinuxSandboxSecurityContext{ - Privileged: kubecontainer.HasPrivilegedContainer(pod), + Privileged: kubecontainer.HasPrivilegedContainer(pod), + SeccompProfilePath: m.getSeccompProfileFromAnnotations(pod.Annotations, ""), }, } diff --git a/pkg/kubelet/kuberuntime/security_context.go b/pkg/kubelet/kuberuntime/security_context.go index 715b9412313..c0d4ce7347a 100644 --- a/pkg/kubelet/kuberuntime/security_context.go +++ b/pkg/kubelet/kuberuntime/security_context.go @@ -33,6 +33,9 @@ func (m *kubeGenericRuntimeManager) determineEffectiveSecurityContext(pod *v1.Po synthesized = &runtimeapi.LinuxContainerSecurityContext{} } + // set SeccompProfilePath. + synthesized.SeccompProfilePath = m.getSeccompProfileFromAnnotations(pod.Annotations, container.Name) + // set ApparmorProfile. synthesized.ApparmorProfile = apparmor.GetProfileNameFromPodAnnotations(pod.Annotations, container.Name)