Commit ad6bd780 authored by Dr. Stefan Schimanski's avatar Dr. Stefan Schimanski

Move /seccomp/ into domain prefix in seccomp annotations

Double slashes are not allowed in annotation keys. Moreover, using the 63 characters of the name component in an annotation key will shorted the space for the container name.
parent 6460b341
......@@ -202,11 +202,11 @@ use annotations instead of extending the API with new fields.
In the alpha version of this feature we will use annotations to store the
names of seccomp profiles. The keys will be:
`security.alpha.kubernetes.io/seccomp/container/<container name>`
`container.seccomp.security.alpha.kubernetes.io/<container name>`
which will be used to set the seccomp profile of a container, and:
`security.alpha.kubernetes.io/seccomp/pod`
`seccomp.security.alpha.kubernetes.io/pod`
which will set the seccomp profile for the containers of an entire pod. If a
pod-level annotation is present, and a container-level annotation present for
......@@ -240,7 +240,7 @@ subdirectory of the kubelet root directory.
The `PodSecurityPolicy` type should be annotated with the allowed seccomp
profiles using the key
`security.alpha.kubernetes.io/allowedSeccompProfileNames`. The value of this
`seccomp.security.alpha.kubernetes.io/allowedProfileNames`. The value of this
key should be a comma delimited list.
## Examples
......@@ -255,7 +255,7 @@ kind: Pod
metadata:
name: trustworthy-pod
annotations:
security.alpha.kubernetes.io/seccomp/pod: unconfined
seccomp.security.alpha.kubernetes.io/pod: unconfined
spec:
containers:
- name: trustworthy-container
......@@ -273,7 +273,7 @@ kind: Pod
metadata:
name: explorer
annotations:
security.alpha.kubernetes.io/seccomp/container/explorer: localhost/example-explorer-profile
container.seccomp.security.alpha.kubernetes.io/explorer: localhost/example-explorer-profile
spec:
containers:
- name: explorer
......
......@@ -993,10 +993,10 @@ func (dm *DockerManager) getSecurityOpt(pod *api.Pod, ctrName string) ([]string,
return nil, nil
}
profile, profileOK := pod.ObjectMeta.Annotations["security.alpha.kubernetes.io/seccomp/container/"+ctrName]
profile, profileOK := pod.ObjectMeta.Annotations["container.seccomp.security.alpha.kubernetes.io/"+ctrName]
if !profileOK {
// try the pod profile
profile, profileOK = pod.ObjectMeta.Annotations["security.alpha.kubernetes.io/seccomp/pod"]
profile, profileOK = pod.ObjectMeta.Annotations["seccomp.security.alpha.kubernetes.io/pod"]
if !profileOK {
// return early the default
return defaultSecurityOpt, nil
......
......@@ -1762,7 +1762,7 @@ func TestUnconfinedSeccompProfileWithDockerV110(t *testing.T) {
Name: "foo4",
Namespace: "new",
Annotations: map[string]string{
"security.alpha.kubernetes.io/seccomp/pod": "unconfined",
"seccomp.security.alpha.kubernetes.io/pod": "unconfined",
},
},
Spec: api.PodSpec{
......@@ -1804,7 +1804,7 @@ func TestDefaultSeccompProfileWithDockerV110(t *testing.T) {
Name: "foo1",
Namespace: "new",
Annotations: map[string]string{
"security.alpha.kubernetes.io/seccomp/pod": "docker/default",
"seccomp.security.alpha.kubernetes.io/pod": "docker/default",
},
},
Spec: api.PodSpec{
......@@ -1846,8 +1846,8 @@ func TestSeccompContainerAnnotationTrumpsPod(t *testing.T) {
Name: "foo2",
Namespace: "new",
Annotations: map[string]string{
"security.alpha.kubernetes.io/seccomp/pod": "unconfined",
"security.alpha.kubernetes.io/seccomp/container/bar2": "docker/default",
"seccomp.security.alpha.kubernetes.io/pod": "unconfined",
"container.seccomp.security.alpha.kubernetes.io/bar2": "docker/default",
},
},
Spec: api.PodSpec{
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment