Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kubelet >=v1.25: expose setting to enable the use of RuntimeDefault as the default seccomp profile for all workloads #2742

Closed
etungsten opened this issue Jan 19, 2023 · 4 comments · Fixed by #3334
Closed

kubelet >=v1.25: expose setting to enable the use of RuntimeDefault as the default seccomp profile for all workloads #2742

etungsten opened this issue Jan 19, 2023 · 4 comments · Fixed by #3334
Assignees
@jpculp
Labels
area/kubernetes K8s including EKS, EKS-A, and including VMW area/settings Issues related to our settings handling type/enhancement New feature or request

Comments

@etungsten
Copy link
Contributor

What I'd like:
A new settings.kubernetes setting for controlling whether --seccomp-default is passed to kubelet or not.

In K8s 1.25 SeccompDefault got promoted to beta which allows users to use a default seccomp profile for all their orchestrated container workloads.

See https://kubernetes.io/docs/tutorials/security/seccomp/#enable-the-use-of-runtimedefault-as-the-default-seccomp-profile-for-all-workloads:

If enabled, the kubelet will use the RuntimeDefault seccomp profile by default, which is defined by the container runtime, instead of using the Unconfined (seccomp disabled) mode. The default profiles aim to provide a strong set of security defaults while preserving the functionality of the workload.
@etungsten etungsten added type/enhancement New feature or request area/kubernetes K8s including EKS, EKS-A, and including VMW area/settings Issues related to our settings handling labels Jan 19, 2023
@webern
Copy link
Contributor

webern commented Jan 20, 2023

I haven't fully wrapped my head around all of this, but I hope we don't run into an issue with the: https://github.com/containerd/containerd/blob/d769f03592f11e6c0f06bdeeb64527c28f0ee984/pkg/cri/server/container_create_linux.go#L132

@etungsten
Copy link
Contributor Author

I don't think there's any conflicts with the containerd logic when picking the runtime spec. With the flag enabled, Kubelet will use the default seccomp profile as defined by cri/containerd.

@jpculp jpculp mentioned this issue Mar 23, 2023
Merged
@zshen-figma
Copy link

Hello, do we have an estimate on when this will be implemented?

@cartrius-a cartrius-a mentioned this issue Aug 9, 2023
Merged
@cartrius-a
Copy link
Contributor

Hi @zshen-figma, I've gone ahead and opened a PR (#3334) to add this to Bottlerocket.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jpculp jpculp

Labels
area/kubernetes K8s including EKS, EKS-A, and including VMW area/settings Issues related to our settings handling type/enhancement New feature or request
Projects
Bottlerocket Engineering Roadmap
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add support for SeccompDefault setting for k8s 1.25+ cartrius-a/bottlerocket
5 participants
@jpculp @webern @etungsten @zshen-figma @cartrius-a