Commit e102633a authored by Zhen Wang's avatar Zhen Wang

Change docker/default to runtime/default

parent 38568911
...@@ -45,6 +45,13 @@ const ( ...@@ -45,6 +45,13 @@ const (
// to one container of a pod. // to one container of a pod.
SeccompContainerAnnotationKeyPrefix string = "container.seccomp.security.alpha.kubernetes.io/" SeccompContainerAnnotationKeyPrefix string = "container.seccomp.security.alpha.kubernetes.io/"
// SeccompProfileRuntimeDefault represents the default seccomp profile used by container runtime.
SeccompProfileRuntimeDefault string = "runtime/default"
// DeprecatedSeccompProfileDockerDefault represents the default seccomp profile used by docker.
// This is now deprecated and should be replaced by SeccompProfileRuntimeDefault.
DeprecatedSeccompProfileDockerDefault string = "docker/default"
// PreferAvoidPodsAnnotationKey represents the key of preferAvoidPods data (json serialized) // PreferAvoidPodsAnnotationKey represents the key of preferAvoidPods data (json serialized)
// in the Annotations of a Node. // in the Annotations of a Node.
PreferAvoidPodsAnnotationKey string = "scheduler.alpha.kubernetes.io/preferAvoidPods" PreferAvoidPodsAnnotationKey string = "scheduler.alpha.kubernetes.io/preferAvoidPods"
......
...@@ -3173,7 +3173,7 @@ func validatePodAffinity(podAffinity *core.PodAffinity, fldPath *field.Path) fie ...@@ -3173,7 +3173,7 @@ func validatePodAffinity(podAffinity *core.PodAffinity, fldPath *field.Path) fie
} }
func ValidateSeccompProfile(p string, fldPath *field.Path) field.ErrorList { func ValidateSeccompProfile(p string, fldPath *field.Path) field.ErrorList {
if p == "docker/default" { if p == core.SeccompProfileRuntimeDefault || p == core.DeprecatedSeccompProfileDockerDefault {
return nil return nil
} }
if p == "unconfined" { if p == "unconfined" {
......
...@@ -6276,12 +6276,22 @@ func TestValidatePod(t *testing.T) { ...@@ -6276,12 +6276,22 @@ func TestValidatePod(t *testing.T) {
}, },
Spec: extendPodSpecwithTolerations(validPodSpec(nil), []core.Toleration{{Key: "node.kubernetes.io/not-ready", Operator: "Exists", Effect: "NoExecute", TolerationSeconds: &[]int64{-2}[0]}}), Spec: extendPodSpecwithTolerations(validPodSpec(nil), []core.Toleration{{Key: "node.kubernetes.io/not-ready", Operator: "Exists", Effect: "NoExecute", TolerationSeconds: &[]int64{-2}[0]}}),
}, },
{ // runtime default seccomp profile
ObjectMeta: metav1.ObjectMeta{
Name: "123",
Namespace: "ns",
Annotations: map[string]string{
core.SeccompPodAnnotationKey: core.SeccompProfileRuntimeDefault,
},
},
Spec: validPodSpec(nil),
},
{ // docker default seccomp profile { // docker default seccomp profile
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Name: "123", Name: "123",
Namespace: "ns", Namespace: "ns",
Annotations: map[string]string{ Annotations: map[string]string{
core.SeccompPodAnnotationKey: "docker/default", core.SeccompPodAnnotationKey: core.DeprecatedSeccompProfileDockerDefault,
}, },
}, },
Spec: validPodSpec(nil), Spec: validPodSpec(nil),
......
...@@ -336,7 +336,7 @@ func TestValidatePodSecurityPolicy(t *testing.T) { ...@@ -336,7 +336,7 @@ func TestValidatePodSecurityPolicy(t *testing.T) {
} }
invalidSeccompAllowed := validPSP() invalidSeccompAllowed := validPSP()
invalidSeccompAllowed.Annotations = map[string]string{ invalidSeccompAllowed.Annotations = map[string]string{
seccomp.AllowedProfilesAnnotationKey: "docker/default,not-good", seccomp.AllowedProfilesAnnotationKey: api.SeccompProfileRuntimeDefault + ",not-good",
} }
invalidAllowedHostPathMissingPath := validPSP() invalidAllowedHostPathMissingPath := validPSP()
...@@ -566,8 +566,8 @@ func TestValidatePodSecurityPolicy(t *testing.T) { ...@@ -566,8 +566,8 @@ func TestValidatePodSecurityPolicy(t *testing.T) {
validSeccomp := validPSP() validSeccomp := validPSP()
validSeccomp.Annotations = map[string]string{ validSeccomp.Annotations = map[string]string{
seccomp.DefaultProfileAnnotationKey: "docker/default", seccomp.DefaultProfileAnnotationKey: api.SeccompProfileRuntimeDefault,
seccomp.AllowedProfilesAnnotationKey: "docker/default,unconfined,localhost/foo,*", seccomp.AllowedProfilesAnnotationKey: api.SeccompProfileRuntimeDefault + ",unconfined,localhost/foo,*",
} }
validDefaultAllowPrivilegeEscalation := validPSP() validDefaultAllowPrivilegeEscalation := validPSP()
......
...@@ -572,7 +572,7 @@ type LinuxSandboxSecurityContext struct { ...@@ -572,7 +572,7 @@ type LinuxSandboxSecurityContext struct {
// privileged containers are expected to be run. // privileged containers are expected to be run.
Privileged bool `protobuf:"varint,6,opt,name=privileged,proto3" json:"privileged,omitempty"` Privileged bool `protobuf:"varint,6,opt,name=privileged,proto3" json:"privileged,omitempty"`
// Seccomp profile for the sandbox, candidate values are: // Seccomp profile for the sandbox, candidate values are:
// * docker/default: the default profile for the docker container runtime // * runtime/default: the default profile for the container runtime
// * unconfined: unconfined profile, ie, no seccomp sandboxing // * unconfined: unconfined profile, ie, no seccomp sandboxing
// * localhost/<full-path-to-profile>: the profile installed on the node. // * localhost/<full-path-to-profile>: the profile installed on the node.
// <full-path-to-profile> is the full path of the profile. // <full-path-to-profile> is the full path of the profile.
...@@ -1487,7 +1487,7 @@ type LinuxContainerSecurityContext struct { ...@@ -1487,7 +1487,7 @@ type LinuxContainerSecurityContext struct {
// http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference // http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference
ApparmorProfile string `protobuf:"bytes,9,opt,name=apparmor_profile,json=apparmorProfile,proto3" json:"apparmor_profile,omitempty"` ApparmorProfile string `protobuf:"bytes,9,opt,name=apparmor_profile,json=apparmorProfile,proto3" json:"apparmor_profile,omitempty"`
// Seccomp profile for the container, candidate values are: // Seccomp profile for the container, candidate values are:
// * docker/default: the default profile for the docker container runtime // * runtime/default: the default profile for the container runtime
// * unconfined: unconfined profile, ie, no seccomp sandboxing // * unconfined: unconfined profile, ie, no seccomp sandboxing
// * localhost/<full-path-to-profile>: the profile installed on the node. // * localhost/<full-path-to-profile>: the profile installed on the node.
// <full-path-to-profile> is the full path of the profile. // <full-path-to-profile> is the full path of the profile.
......
...@@ -252,7 +252,7 @@ message LinuxSandboxSecurityContext { ...@@ -252,7 +252,7 @@ message LinuxSandboxSecurityContext {
// privileged containers are expected to be run. // privileged containers are expected to be run.
bool privileged = 6; bool privileged = 6;
// Seccomp profile for the sandbox, candidate values are: // Seccomp profile for the sandbox, candidate values are:
// * docker/default: the default profile for the docker container runtime // * runtime/default: the default profile for the container runtime
// * unconfined: unconfined profile, ie, no seccomp sandboxing // * unconfined: unconfined profile, ie, no seccomp sandboxing
// * localhost/<full-path-to-profile>: the profile installed on the node. // * localhost/<full-path-to-profile>: the profile installed on the node.
// <full-path-to-profile> is the full path of the profile. // <full-path-to-profile> is the full path of the profile.
...@@ -577,7 +577,7 @@ message LinuxContainerSecurityContext { ...@@ -577,7 +577,7 @@ message LinuxContainerSecurityContext {
// http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference // http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference
string apparmor_profile = 9; string apparmor_profile = 9;
// Seccomp profile for the container, candidate values are: // Seccomp profile for the container, candidate values are:
// * docker/default: the default profile for the docker container runtime // * runtime/default: the default profile for the container runtime
// * unconfined: unconfined profile, ie, no seccomp sandboxing // * unconfined: unconfined profile, ie, no seccomp sandboxing
// * localhost/<full-path-to-profile>: the profile installed on the node. // * localhost/<full-path-to-profile>: the profile installed on the node.
// <full-path-to-profile> is the full path of the profile. // <full-path-to-profile> is the full path of the profile.
......
...@@ -167,7 +167,12 @@ go_test( ...@@ -167,7 +167,12 @@ go_test(
"//vendor/github.com/stretchr/testify/assert:go_default_library", "//vendor/github.com/stretchr/testify/assert:go_default_library",
"//vendor/github.com/stretchr/testify/require:go_default_library", "//vendor/github.com/stretchr/testify/require:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/clock:go_default_library", "//vendor/k8s.io/apimachinery/pkg/util/clock:go_default_library",
], ] + select({
"@io_bazel_rules_go//go/platform:linux": [
"//vendor/k8s.io/api/core/v1:go_default_library",
],
"//conditions:default": [],
}),
) )
filegroup( filegroup(
......
...@@ -30,6 +30,7 @@ import ( ...@@ -30,6 +30,7 @@ import (
"github.com/blang/semver" "github.com/blang/semver"
dockertypes "github.com/docker/docker/api/types" dockertypes "github.com/docker/docker/api/types"
dockercontainer "github.com/docker/docker/api/types/container" dockercontainer "github.com/docker/docker/api/types/container"
"k8s.io/api/core/v1"
runtimeapi "k8s.io/kubernetes/pkg/kubelet/apis/cri/runtime/v1alpha2" runtimeapi "k8s.io/kubernetes/pkg/kubelet/apis/cri/runtime/v1alpha2"
) )
...@@ -53,7 +54,7 @@ func getSeccompDockerOpts(seccompProfile string) ([]dockerOpt, error) { ...@@ -53,7 +54,7 @@ func getSeccompDockerOpts(seccompProfile string) ([]dockerOpt, error) {
return defaultSeccompOpt, nil return defaultSeccompOpt, nil
} }
if seccompProfile == "docker/default" { if seccompProfile == v1.SeccompProfileRuntimeDefault || seccompProfile == v1.DeprecatedSeccompProfileDockerDefault {
// return nil so docker will load the default seccomp profile // return nil so docker will load the default seccomp profile
return nil, nil return nil, nil
} }
......
...@@ -27,6 +27,7 @@ import ( ...@@ -27,6 +27,7 @@ import (
"github.com/stretchr/testify/assert" "github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require" "github.com/stretchr/testify/require"
"k8s.io/api/core/v1"
) )
func TestGetSeccompSecurityOpts(t *testing.T) { func TestGetSeccompSecurityOpts(t *testing.T) {
...@@ -44,7 +45,11 @@ func TestGetSeccompSecurityOpts(t *testing.T) { ...@@ -44,7 +45,11 @@ func TestGetSeccompSecurityOpts(t *testing.T) {
expectedOpts: []string{"seccomp=unconfined"}, expectedOpts: []string{"seccomp=unconfined"},
}, { }, {
msg: "Seccomp default", msg: "Seccomp default",
seccompProfile: "docker/default", seccompProfile: v1.SeccompProfileRuntimeDefault,
expectedOpts: nil,
}, {
msg: "Seccomp deprecated default",
seccompProfile: v1.DeprecatedSeccompProfileDockerDefault,
expectedOpts: nil, expectedOpts: nil,
}} }}
......
...@@ -232,19 +232,34 @@ func TestGetSeccompProfileFromAnnotations(t *testing.T) { ...@@ -232,19 +232,34 @@ func TestGetSeccompProfileFromAnnotations(t *testing.T) {
expectedProfile: "", expectedProfile: "",
}, },
{ {
description: "pod runtime/default seccomp profile should return runtime/default",
annotation: map[string]string{
v1.SeccompPodAnnotationKey: v1.SeccompProfileRuntimeDefault,
},
expectedProfile: v1.SeccompProfileRuntimeDefault,
},
{
description: "pod docker/default seccomp profile should return docker/default", description: "pod docker/default seccomp profile should return docker/default",
annotation: map[string]string{ annotation: map[string]string{
v1.SeccompPodAnnotationKey: "docker/default", v1.SeccompPodAnnotationKey: v1.DeprecatedSeccompProfileDockerDefault,
}, },
expectedProfile: "docker/default", expectedProfile: v1.DeprecatedSeccompProfileDockerDefault,
},
{
description: "pod runtime/default seccomp profile with containerName should return runtime/default",
annotation: map[string]string{
v1.SeccompPodAnnotationKey: v1.SeccompProfileRuntimeDefault,
},
containerName: "container1",
expectedProfile: v1.SeccompProfileRuntimeDefault,
}, },
{ {
description: "pod docker/default seccomp profile with containerName should return docker/default", description: "pod docker/default seccomp profile with containerName should return docker/default",
annotation: map[string]string{ annotation: map[string]string{
v1.SeccompPodAnnotationKey: "docker/default", v1.SeccompPodAnnotationKey: v1.DeprecatedSeccompProfileDockerDefault,
}, },
containerName: "container1", containerName: "container1",
expectedProfile: "docker/default", expectedProfile: v1.DeprecatedSeccompProfileDockerDefault,
}, },
{ {
description: "pod unconfined seccomp profile should return unconfined", description: "pod unconfined seccomp profile should return unconfined",
......
...@@ -45,6 +45,13 @@ const ( ...@@ -45,6 +45,13 @@ const (
// to one container of a pod. // to one container of a pod.
SeccompContainerAnnotationKeyPrefix string = "container.seccomp.security.alpha.kubernetes.io/" SeccompContainerAnnotationKeyPrefix string = "container.seccomp.security.alpha.kubernetes.io/"
// SeccompProfileRuntimeDefault represents the default seccomp profile used by container runtime.
SeccompProfileRuntimeDefault string = "runtime/default"
// DeprecatedSeccompProfileDockerDefault represents the default seccomp profile used by docker.
// This is now deprecated and should be replaced by SeccompProfileRuntimeDefault.
DeprecatedSeccompProfileDockerDefault string = "docker/default"
// PreferAvoidPodsAnnotationKey represents the key of preferAvoidPods data (json serialized) // PreferAvoidPodsAnnotationKey represents the key of preferAvoidPods data (json serialized)
// in the Annotations of a Node. // in the Annotations of a Node.
PreferAvoidPodsAnnotationKey string = "scheduler.alpha.kubernetes.io/preferAvoidPods" PreferAvoidPodsAnnotationKey string = "scheduler.alpha.kubernetes.io/preferAvoidPods"
......
...@@ -316,7 +316,7 @@ func restrictedPod(f *framework.Framework, name string) *v1.Pod { ...@@ -316,7 +316,7 @@ func restrictedPod(f *framework.Framework, name string) *v1.Pod {
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Name: name, Name: name,
Annotations: map[string]string{ Annotations: map[string]string{
v1.SeccompPodAnnotationKey: "docker/default", v1.SeccompPodAnnotationKey: v1.SeccompProfileRuntimeDefault,
apparmor.ContainerAnnotationKeyPrefix + "pause": apparmor.ProfileRuntimeDefault, apparmor.ContainerAnnotationKeyPrefix + "pause": apparmor.ProfileRuntimeDefault,
}, },
}, },
...@@ -374,8 +374,8 @@ func restrictedPSPInPolicy(name string) *policy.PodSecurityPolicy { ...@@ -374,8 +374,8 @@ func restrictedPSPInPolicy(name string) *policy.PodSecurityPolicy {
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Name: name, Name: name,
Annotations: map[string]string{ Annotations: map[string]string{
seccomp.AllowedProfilesAnnotationKey: "docker/default", seccomp.AllowedProfilesAnnotationKey: v1.SeccompProfileRuntimeDefault,
seccomp.DefaultProfileAnnotationKey: "docker/default", seccomp.DefaultProfileAnnotationKey: v1.SeccompProfileRuntimeDefault,
apparmor.AllowedProfilesAnnotationKey: apparmor.ProfileRuntimeDefault, apparmor.AllowedProfilesAnnotationKey: apparmor.ProfileRuntimeDefault,
apparmor.DefaultProfileAnnotationKey: apparmor.ProfileRuntimeDefault, apparmor.DefaultProfileAnnotationKey: apparmor.ProfileRuntimeDefault,
}, },
...@@ -429,8 +429,8 @@ func restrictedPSP(name string) *extensionsv1beta1.PodSecurityPolicy { ...@@ -429,8 +429,8 @@ func restrictedPSP(name string) *extensionsv1beta1.PodSecurityPolicy {
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Name: name, Name: name,
Annotations: map[string]string{ Annotations: map[string]string{
seccomp.AllowedProfilesAnnotationKey: "docker/default", seccomp.AllowedProfilesAnnotationKey: v1.SeccompProfileRuntimeDefault,
seccomp.DefaultProfileAnnotationKey: "docker/default", seccomp.DefaultProfileAnnotationKey: v1.SeccompProfileRuntimeDefault,
apparmor.AllowedProfilesAnnotationKey: apparmor.ProfileRuntimeDefault, apparmor.AllowedProfilesAnnotationKey: apparmor.ProfileRuntimeDefault,
apparmor.DefaultProfileAnnotationKey: apparmor.ProfileRuntimeDefault, apparmor.DefaultProfileAnnotationKey: apparmor.ProfileRuntimeDefault,
}, },
......
...@@ -144,7 +144,7 @@ var _ = SIGDescribe("Security Context [Feature:SecurityContext]", func() { ...@@ -144,7 +144,7 @@ var _ = SIGDescribe("Security Context [Feature:SecurityContext]", func() {
// TODO: port to SecurityContext as soon as seccomp is out of alpha // TODO: port to SecurityContext as soon as seccomp is out of alpha
pod := scTestPod(false, false) pod := scTestPod(false, false)
pod.Annotations[v1.SeccompContainerAnnotationKeyPrefix+"test-container"] = "unconfined" pod.Annotations[v1.SeccompContainerAnnotationKeyPrefix+"test-container"] = "unconfined"
pod.Annotations[v1.SeccompPodAnnotationKey] = "docker/default" pod.Annotations[v1.SeccompPodAnnotationKey] = v1.SeccompProfileRuntimeDefault
pod.Spec.Containers[0].Command = []string{"grep", "ecc", "/proc/self/status"} pod.Spec.Containers[0].Command = []string{"grep", "ecc", "/proc/self/status"}
f.TestContainerOutput(v1.SeccompPodAnnotationKey, pod, 0, []string{"0"}) // seccomp disabled f.TestContainerOutput(v1.SeccompPodAnnotationKey, pod, 0, []string{"0"}) // seccomp disabled
}) })
...@@ -157,10 +157,10 @@ var _ = SIGDescribe("Security Context [Feature:SecurityContext]", func() { ...@@ -157,10 +157,10 @@ var _ = SIGDescribe("Security Context [Feature:SecurityContext]", func() {
f.TestContainerOutput(v1.SeccompPodAnnotationKey, pod, 0, []string{"0"}) // seccomp disabled f.TestContainerOutput(v1.SeccompPodAnnotationKey, pod, 0, []string{"0"}) // seccomp disabled
}) })
It("should support seccomp alpha docker/default annotation [Feature:Seccomp]", func() { It("should support seccomp alpha runtime/default annotation [Feature:Seccomp]", func() {
// TODO: port to SecurityContext as soon as seccomp is out of alpha // TODO: port to SecurityContext as soon as seccomp is out of alpha
pod := scTestPod(false, false) pod := scTestPod(false, false)
pod.Annotations[v1.SeccompContainerAnnotationKeyPrefix+"test-container"] = "docker/default" pod.Annotations[v1.SeccompContainerAnnotationKeyPrefix+"test-container"] = v1.SeccompProfileRuntimeDefault
pod.Spec.Containers[0].Command = []string{"grep", "ecc", "/proc/self/status"} pod.Spec.Containers[0].Command = []string{"grep", "ecc", "/proc/self/status"}
f.TestContainerOutput(v1.SeccompPodAnnotationKey, pod, 0, []string{"2"}) // seccomp filtered f.TestContainerOutput(v1.SeccompPodAnnotationKey, pod, 0, []string{"2"}) // seccomp filtered
}) })
......
...@@ -449,7 +449,7 @@ Secrets should be consumable via the environment,ixdy,1,apps ...@@ -449,7 +449,7 @@ Secrets should be consumable via the environment,ixdy,1,apps
Security Context should support container.SecurityContext.RunAsUser,alex-mohr,1,apps Security Context should support container.SecurityContext.RunAsUser,alex-mohr,1,apps
Security Context should support pod.Spec.SecurityContext.RunAsUser,bgrant0607,1,apps Security Context should support pod.Spec.SecurityContext.RunAsUser,bgrant0607,1,apps
Security Context should support pod.Spec.SecurityContext.SupplementalGroups,rrati,0,apps Security Context should support pod.Spec.SecurityContext.SupplementalGroups,rrati,0,apps
Security Context should support seccomp alpha docker/default annotation,freehan,1,apps Security Context should support seccomp alpha runtime/default annotation,freehan,1,apps
Security Context should support seccomp alpha unconfined annotation on the container,childsb,1,apps Security Context should support seccomp alpha unconfined annotation on the container,childsb,1,apps
Security Context should support seccomp alpha unconfined annotation on the pod,krousey,1,apps Security Context should support seccomp alpha unconfined annotation on the pod,krousey,1,apps
Security Context should support seccomp default which is unconfined,lavalamp,1,apps Security Context should support seccomp default which is unconfined,lavalamp,1,apps
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment