Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
e102633a
Commit
e102633a
authored
Apr 19, 2018
by
Zhen Wang
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Change docker/default to runtime/default
parent
38568911
Hide whitespace changes
Inline
Side-by-side
Showing
14 changed files
with
75 additions
and
25 deletions
+75
-25
annotation_key_constants.go
pkg/apis/core/annotation_key_constants.go
+7
-0
validation.go
pkg/apis/core/validation/validation.go
+1
-1
validation_test.go
pkg/apis/core/validation/validation_test.go
+11
-1
validation_test.go
pkg/apis/policy/validation/validation_test.go
+3
-3
api.pb.go
pkg/kubelet/apis/cri/runtime/v1alpha2/api.pb.go
+2
-2
api.proto
pkg/kubelet/apis/cri/runtime/v1alpha2/api.proto
+2
-2
BUILD
pkg/kubelet/dockershim/BUILD
+6
-1
helpers_linux.go
pkg/kubelet/dockershim/helpers_linux.go
+2
-1
helpers_linux_test.go
pkg/kubelet/dockershim/helpers_linux_test.go
+6
-1
helpers_test.go
pkg/kubelet/kuberuntime/helpers_test.go
+19
-4
annotation_key_constants.go
staging/src/k8s.io/api/core/v1/annotation_key_constants.go
+7
-0
pod_security_policy.go
test/e2e/auth/pod_security_policy.go
+5
-5
security_context.go
test/e2e/node/security_context.go
+3
-3
test_owners.csv
test/test_owners.csv
+1
-1
No files found.
pkg/apis/core/annotation_key_constants.go
View file @
e102633a
...
@@ -45,6 +45,13 @@ const (
...
@@ -45,6 +45,13 @@ const (
// to one container of a pod.
// to one container of a pod.
SeccompContainerAnnotationKeyPrefix
string
=
"container.seccomp.security.alpha.kubernetes.io/"
SeccompContainerAnnotationKeyPrefix
string
=
"container.seccomp.security.alpha.kubernetes.io/"
// SeccompProfileRuntimeDefault represents the default seccomp profile used by container runtime.
SeccompProfileRuntimeDefault
string
=
"runtime/default"
// DeprecatedSeccompProfileDockerDefault represents the default seccomp profile used by docker.
// This is now deprecated and should be replaced by SeccompProfileRuntimeDefault.
DeprecatedSeccompProfileDockerDefault
string
=
"docker/default"
// PreferAvoidPodsAnnotationKey represents the key of preferAvoidPods data (json serialized)
// PreferAvoidPodsAnnotationKey represents the key of preferAvoidPods data (json serialized)
// in the Annotations of a Node.
// in the Annotations of a Node.
PreferAvoidPodsAnnotationKey
string
=
"scheduler.alpha.kubernetes.io/preferAvoidPods"
PreferAvoidPodsAnnotationKey
string
=
"scheduler.alpha.kubernetes.io/preferAvoidPods"
...
...
pkg/apis/core/validation/validation.go
View file @
e102633a
...
@@ -3173,7 +3173,7 @@ func validatePodAffinity(podAffinity *core.PodAffinity, fldPath *field.Path) fie
...
@@ -3173,7 +3173,7 @@ func validatePodAffinity(podAffinity *core.PodAffinity, fldPath *field.Path) fie
}
}
func
ValidateSeccompProfile
(
p
string
,
fldPath
*
field
.
Path
)
field
.
ErrorList
{
func
ValidateSeccompProfile
(
p
string
,
fldPath
*
field
.
Path
)
field
.
ErrorList
{
if
p
==
"docker/default"
{
if
p
==
core
.
SeccompProfileRuntimeDefault
||
p
==
core
.
DeprecatedSeccompProfileDockerDefault
{
return
nil
return
nil
}
}
if
p
==
"unconfined"
{
if
p
==
"unconfined"
{
...
...
pkg/apis/core/validation/validation_test.go
View file @
e102633a
...
@@ -6276,12 +6276,22 @@ func TestValidatePod(t *testing.T) {
...
@@ -6276,12 +6276,22 @@ func TestValidatePod(t *testing.T) {
},
},
Spec
:
extendPodSpecwithTolerations
(
validPodSpec
(
nil
),
[]
core
.
Toleration
{{
Key
:
"node.kubernetes.io/not-ready"
,
Operator
:
"Exists"
,
Effect
:
"NoExecute"
,
TolerationSeconds
:
&
[]
int64
{
-
2
}[
0
]}}),
Spec
:
extendPodSpecwithTolerations
(
validPodSpec
(
nil
),
[]
core
.
Toleration
{{
Key
:
"node.kubernetes.io/not-ready"
,
Operator
:
"Exists"
,
Effect
:
"NoExecute"
,
TolerationSeconds
:
&
[]
int64
{
-
2
}[
0
]}}),
},
},
{
// runtime default seccomp profile
ObjectMeta
:
metav1
.
ObjectMeta
{
Name
:
"123"
,
Namespace
:
"ns"
,
Annotations
:
map
[
string
]
string
{
core
.
SeccompPodAnnotationKey
:
core
.
SeccompProfileRuntimeDefault
,
},
},
Spec
:
validPodSpec
(
nil
),
},
{
// docker default seccomp profile
{
// docker default seccomp profile
ObjectMeta
:
metav1
.
ObjectMeta
{
ObjectMeta
:
metav1
.
ObjectMeta
{
Name
:
"123"
,
Name
:
"123"
,
Namespace
:
"ns"
,
Namespace
:
"ns"
,
Annotations
:
map
[
string
]
string
{
Annotations
:
map
[
string
]
string
{
core
.
SeccompPodAnnotationKey
:
"docker/default"
,
core
.
SeccompPodAnnotationKey
:
core
.
DeprecatedSeccompProfileDockerDefault
,
},
},
},
},
Spec
:
validPodSpec
(
nil
),
Spec
:
validPodSpec
(
nil
),
...
...
pkg/apis/policy/validation/validation_test.go
View file @
e102633a
...
@@ -336,7 +336,7 @@ func TestValidatePodSecurityPolicy(t *testing.T) {
...
@@ -336,7 +336,7 @@ func TestValidatePodSecurityPolicy(t *testing.T) {
}
}
invalidSeccompAllowed
:=
validPSP
()
invalidSeccompAllowed
:=
validPSP
()
invalidSeccompAllowed
.
Annotations
=
map
[
string
]
string
{
invalidSeccompAllowed
.
Annotations
=
map
[
string
]
string
{
seccomp
.
AllowedProfilesAnnotationKey
:
"docker/default
,not-good"
,
seccomp
.
AllowedProfilesAnnotationKey
:
api
.
SeccompProfileRuntimeDefault
+
"
,not-good"
,
}
}
invalidAllowedHostPathMissingPath
:=
validPSP
()
invalidAllowedHostPathMissingPath
:=
validPSP
()
...
@@ -566,8 +566,8 @@ func TestValidatePodSecurityPolicy(t *testing.T) {
...
@@ -566,8 +566,8 @@ func TestValidatePodSecurityPolicy(t *testing.T) {
validSeccomp
:=
validPSP
()
validSeccomp
:=
validPSP
()
validSeccomp
.
Annotations
=
map
[
string
]
string
{
validSeccomp
.
Annotations
=
map
[
string
]
string
{
seccomp
.
DefaultProfileAnnotationKey
:
"docker/default"
,
seccomp
.
DefaultProfileAnnotationKey
:
api
.
SeccompProfileRuntimeDefault
,
seccomp
.
AllowedProfilesAnnotationKey
:
"docker/default
,unconfined,localhost/foo,*"
,
seccomp
.
AllowedProfilesAnnotationKey
:
api
.
SeccompProfileRuntimeDefault
+
"
,unconfined,localhost/foo,*"
,
}
}
validDefaultAllowPrivilegeEscalation
:=
validPSP
()
validDefaultAllowPrivilegeEscalation
:=
validPSP
()
...
...
pkg/kubelet/apis/cri/runtime/v1alpha2/api.pb.go
View file @
e102633a
...
@@ -572,7 +572,7 @@ type LinuxSandboxSecurityContext struct {
...
@@ -572,7 +572,7 @@ type LinuxSandboxSecurityContext struct {
// privileged containers are expected to be run.
// privileged containers are expected to be run.
Privileged
bool
`protobuf:"varint,6,opt,name=privileged,proto3" json:"privileged,omitempty"`
Privileged
bool
`protobuf:"varint,6,opt,name=privileged,proto3" json:"privileged,omitempty"`
// Seccomp profile for the sandbox, candidate values are:
// Seccomp profile for the sandbox, candidate values are:
// *
docker/default: the default profile for the docker
container runtime
// *
runtime/default: the default profile for the
container runtime
// * unconfined: unconfined profile, ie, no seccomp sandboxing
// * unconfined: unconfined profile, ie, no seccomp sandboxing
// * localhost/<full-path-to-profile>: the profile installed on the node.
// * localhost/<full-path-to-profile>: the profile installed on the node.
// <full-path-to-profile> is the full path of the profile.
// <full-path-to-profile> is the full path of the profile.
...
@@ -1487,7 +1487,7 @@ type LinuxContainerSecurityContext struct {
...
@@ -1487,7 +1487,7 @@ type LinuxContainerSecurityContext struct {
// http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference
// http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference
ApparmorProfile
string
`protobuf:"bytes,9,opt,name=apparmor_profile,json=apparmorProfile,proto3" json:"apparmor_profile,omitempty"`
ApparmorProfile
string
`protobuf:"bytes,9,opt,name=apparmor_profile,json=apparmorProfile,proto3" json:"apparmor_profile,omitempty"`
// Seccomp profile for the container, candidate values are:
// Seccomp profile for the container, candidate values are:
// *
docker/default: the default profile for the docker
container runtime
// *
runtime/default: the default profile for the
container runtime
// * unconfined: unconfined profile, ie, no seccomp sandboxing
// * unconfined: unconfined profile, ie, no seccomp sandboxing
// * localhost/<full-path-to-profile>: the profile installed on the node.
// * localhost/<full-path-to-profile>: the profile installed on the node.
// <full-path-to-profile> is the full path of the profile.
// <full-path-to-profile> is the full path of the profile.
...
...
pkg/kubelet/apis/cri/runtime/v1alpha2/api.proto
View file @
e102633a
...
@@ -252,7 +252,7 @@ message LinuxSandboxSecurityContext {
...
@@ -252,7 +252,7 @@ message LinuxSandboxSecurityContext {
// privileged containers are expected to be run.
// privileged containers are expected to be run.
bool
privileged
=
6
;
bool
privileged
=
6
;
// Seccomp profile for the sandbox, candidate values are:
// Seccomp profile for the sandbox, candidate values are:
// *
docker/default: the default profile for the docker
container runtime
// *
runtime/default: the default profile for the
container runtime
// * unconfined: unconfined profile, ie, no seccomp sandboxing
// * unconfined: unconfined profile, ie, no seccomp sandboxing
// * localhost/<full-path-to-profile>: the profile installed on the node.
// * localhost/<full-path-to-profile>: the profile installed on the node.
// <full-path-to-profile> is the full path of the profile.
// <full-path-to-profile> is the full path of the profile.
...
@@ -577,7 +577,7 @@ message LinuxContainerSecurityContext {
...
@@ -577,7 +577,7 @@ message LinuxContainerSecurityContext {
// http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference
// http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference
string
apparmor_profile
=
9
;
string
apparmor_profile
=
9
;
// Seccomp profile for the container, candidate values are:
// Seccomp profile for the container, candidate values are:
// *
docker/default: the default profile for the docker
container runtime
// *
runtime/default: the default profile for the
container runtime
// * unconfined: unconfined profile, ie, no seccomp sandboxing
// * unconfined: unconfined profile, ie, no seccomp sandboxing
// * localhost/<full-path-to-profile>: the profile installed on the node.
// * localhost/<full-path-to-profile>: the profile installed on the node.
// <full-path-to-profile> is the full path of the profile.
// <full-path-to-profile> is the full path of the profile.
...
...
pkg/kubelet/dockershim/BUILD
View file @
e102633a
...
@@ -167,7 +167,12 @@ go_test(
...
@@ -167,7 +167,12 @@ go_test(
"//vendor/github.com/stretchr/testify/assert:go_default_library",
"//vendor/github.com/stretchr/testify/assert:go_default_library",
"//vendor/github.com/stretchr/testify/require:go_default_library",
"//vendor/github.com/stretchr/testify/require:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/clock:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/clock:go_default_library",
],
] + select({
"@io_bazel_rules_go//go/platform:linux": [
"//vendor/k8s.io/api/core/v1:go_default_library",
],
"//conditions:default": [],
}),
)
)
filegroup(
filegroup(
...
...
pkg/kubelet/dockershim/helpers_linux.go
View file @
e102633a
...
@@ -30,6 +30,7 @@ import (
...
@@ -30,6 +30,7 @@ import (
"github.com/blang/semver"
"github.com/blang/semver"
dockertypes
"github.com/docker/docker/api/types"
dockertypes
"github.com/docker/docker/api/types"
dockercontainer
"github.com/docker/docker/api/types/container"
dockercontainer
"github.com/docker/docker/api/types/container"
"k8s.io/api/core/v1"
runtimeapi
"k8s.io/kubernetes/pkg/kubelet/apis/cri/runtime/v1alpha2"
runtimeapi
"k8s.io/kubernetes/pkg/kubelet/apis/cri/runtime/v1alpha2"
)
)
...
@@ -53,7 +54,7 @@ func getSeccompDockerOpts(seccompProfile string) ([]dockerOpt, error) {
...
@@ -53,7 +54,7 @@ func getSeccompDockerOpts(seccompProfile string) ([]dockerOpt, error) {
return
defaultSeccompOpt
,
nil
return
defaultSeccompOpt
,
nil
}
}
if
seccompProfile
==
"docker/default"
{
if
seccompProfile
==
v1
.
SeccompProfileRuntimeDefault
||
seccompProfile
==
v1
.
DeprecatedSeccompProfileDockerDefault
{
// return nil so docker will load the default seccomp profile
// return nil so docker will load the default seccomp profile
return
nil
,
nil
return
nil
,
nil
}
}
...
...
pkg/kubelet/dockershim/helpers_linux_test.go
View file @
e102633a
...
@@ -27,6 +27,7 @@ import (
...
@@ -27,6 +27,7 @@ import (
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"github.com/stretchr/testify/require"
"k8s.io/api/core/v1"
)
)
func
TestGetSeccompSecurityOpts
(
t
*
testing
.
T
)
{
func
TestGetSeccompSecurityOpts
(
t
*
testing
.
T
)
{
...
@@ -44,7 +45,11 @@ func TestGetSeccompSecurityOpts(t *testing.T) {
...
@@ -44,7 +45,11 @@ func TestGetSeccompSecurityOpts(t *testing.T) {
expectedOpts
:
[]
string
{
"seccomp=unconfined"
},
expectedOpts
:
[]
string
{
"seccomp=unconfined"
},
},
{
},
{
msg
:
"Seccomp default"
,
msg
:
"Seccomp default"
,
seccompProfile
:
"docker/default"
,
seccompProfile
:
v1
.
SeccompProfileRuntimeDefault
,
expectedOpts
:
nil
,
},
{
msg
:
"Seccomp deprecated default"
,
seccompProfile
:
v1
.
DeprecatedSeccompProfileDockerDefault
,
expectedOpts
:
nil
,
expectedOpts
:
nil
,
}}
}}
...
...
pkg/kubelet/kuberuntime/helpers_test.go
View file @
e102633a
...
@@ -232,19 +232,34 @@ func TestGetSeccompProfileFromAnnotations(t *testing.T) {
...
@@ -232,19 +232,34 @@ func TestGetSeccompProfileFromAnnotations(t *testing.T) {
expectedProfile
:
""
,
expectedProfile
:
""
,
},
},
{
{
description
:
"pod runtime/default seccomp profile should return runtime/default"
,
annotation
:
map
[
string
]
string
{
v1
.
SeccompPodAnnotationKey
:
v1
.
SeccompProfileRuntimeDefault
,
},
expectedProfile
:
v1
.
SeccompProfileRuntimeDefault
,
},
{
description
:
"pod docker/default seccomp profile should return docker/default"
,
description
:
"pod docker/default seccomp profile should return docker/default"
,
annotation
:
map
[
string
]
string
{
annotation
:
map
[
string
]
string
{
v1
.
SeccompPodAnnotationKey
:
"docker/default"
,
v1
.
SeccompPodAnnotationKey
:
v1
.
DeprecatedSeccompProfileDockerDefault
,
},
},
expectedProfile
:
"docker/default"
,
expectedProfile
:
v1
.
DeprecatedSeccompProfileDockerDefault
,
},
{
description
:
"pod runtime/default seccomp profile with containerName should return runtime/default"
,
annotation
:
map
[
string
]
string
{
v1
.
SeccompPodAnnotationKey
:
v1
.
SeccompProfileRuntimeDefault
,
},
containerName
:
"container1"
,
expectedProfile
:
v1
.
SeccompProfileRuntimeDefault
,
},
},
{
{
description
:
"pod docker/default seccomp profile with containerName should return docker/default"
,
description
:
"pod docker/default seccomp profile with containerName should return docker/default"
,
annotation
:
map
[
string
]
string
{
annotation
:
map
[
string
]
string
{
v1
.
SeccompPodAnnotationKey
:
"docker/default"
,
v1
.
SeccompPodAnnotationKey
:
v1
.
DeprecatedSeccompProfileDockerDefault
,
},
},
containerName
:
"container1"
,
containerName
:
"container1"
,
expectedProfile
:
"docker/default"
,
expectedProfile
:
v1
.
DeprecatedSeccompProfileDockerDefault
,
},
},
{
{
description
:
"pod unconfined seccomp profile should return unconfined"
,
description
:
"pod unconfined seccomp profile should return unconfined"
,
...
...
staging/src/k8s.io/api/core/v1/annotation_key_constants.go
View file @
e102633a
...
@@ -45,6 +45,13 @@ const (
...
@@ -45,6 +45,13 @@ const (
// to one container of a pod.
// to one container of a pod.
SeccompContainerAnnotationKeyPrefix
string
=
"container.seccomp.security.alpha.kubernetes.io/"
SeccompContainerAnnotationKeyPrefix
string
=
"container.seccomp.security.alpha.kubernetes.io/"
// SeccompProfileRuntimeDefault represents the default seccomp profile used by container runtime.
SeccompProfileRuntimeDefault
string
=
"runtime/default"
// DeprecatedSeccompProfileDockerDefault represents the default seccomp profile used by docker.
// This is now deprecated and should be replaced by SeccompProfileRuntimeDefault.
DeprecatedSeccompProfileDockerDefault
string
=
"docker/default"
// PreferAvoidPodsAnnotationKey represents the key of preferAvoidPods data (json serialized)
// PreferAvoidPodsAnnotationKey represents the key of preferAvoidPods data (json serialized)
// in the Annotations of a Node.
// in the Annotations of a Node.
PreferAvoidPodsAnnotationKey
string
=
"scheduler.alpha.kubernetes.io/preferAvoidPods"
PreferAvoidPodsAnnotationKey
string
=
"scheduler.alpha.kubernetes.io/preferAvoidPods"
...
...
test/e2e/auth/pod_security_policy.go
View file @
e102633a
...
@@ -316,7 +316,7 @@ func restrictedPod(f *framework.Framework, name string) *v1.Pod {
...
@@ -316,7 +316,7 @@ func restrictedPod(f *framework.Framework, name string) *v1.Pod {
ObjectMeta
:
metav1
.
ObjectMeta
{
ObjectMeta
:
metav1
.
ObjectMeta
{
Name
:
name
,
Name
:
name
,
Annotations
:
map
[
string
]
string
{
Annotations
:
map
[
string
]
string
{
v1
.
SeccompPodAnnotationKey
:
"docker/default"
,
v1
.
SeccompPodAnnotationKey
:
v1
.
SeccompProfileRuntimeDefault
,
apparmor
.
ContainerAnnotationKeyPrefix
+
"pause"
:
apparmor
.
ProfileRuntimeDefault
,
apparmor
.
ContainerAnnotationKeyPrefix
+
"pause"
:
apparmor
.
ProfileRuntimeDefault
,
},
},
},
},
...
@@ -374,8 +374,8 @@ func restrictedPSPInPolicy(name string) *policy.PodSecurityPolicy {
...
@@ -374,8 +374,8 @@ func restrictedPSPInPolicy(name string) *policy.PodSecurityPolicy {
ObjectMeta
:
metav1
.
ObjectMeta
{
ObjectMeta
:
metav1
.
ObjectMeta
{
Name
:
name
,
Name
:
name
,
Annotations
:
map
[
string
]
string
{
Annotations
:
map
[
string
]
string
{
seccomp
.
AllowedProfilesAnnotationKey
:
"docker/default"
,
seccomp
.
AllowedProfilesAnnotationKey
:
v1
.
SeccompProfileRuntimeDefault
,
seccomp
.
DefaultProfileAnnotationKey
:
"docker/default"
,
seccomp
.
DefaultProfileAnnotationKey
:
v1
.
SeccompProfileRuntimeDefault
,
apparmor
.
AllowedProfilesAnnotationKey
:
apparmor
.
ProfileRuntimeDefault
,
apparmor
.
AllowedProfilesAnnotationKey
:
apparmor
.
ProfileRuntimeDefault
,
apparmor
.
DefaultProfileAnnotationKey
:
apparmor
.
ProfileRuntimeDefault
,
apparmor
.
DefaultProfileAnnotationKey
:
apparmor
.
ProfileRuntimeDefault
,
},
},
...
@@ -429,8 +429,8 @@ func restrictedPSP(name string) *extensionsv1beta1.PodSecurityPolicy {
...
@@ -429,8 +429,8 @@ func restrictedPSP(name string) *extensionsv1beta1.PodSecurityPolicy {
ObjectMeta
:
metav1
.
ObjectMeta
{
ObjectMeta
:
metav1
.
ObjectMeta
{
Name
:
name
,
Name
:
name
,
Annotations
:
map
[
string
]
string
{
Annotations
:
map
[
string
]
string
{
seccomp
.
AllowedProfilesAnnotationKey
:
"docker/default"
,
seccomp
.
AllowedProfilesAnnotationKey
:
v1
.
SeccompProfileRuntimeDefault
,
seccomp
.
DefaultProfileAnnotationKey
:
"docker/default"
,
seccomp
.
DefaultProfileAnnotationKey
:
v1
.
SeccompProfileRuntimeDefault
,
apparmor
.
AllowedProfilesAnnotationKey
:
apparmor
.
ProfileRuntimeDefault
,
apparmor
.
AllowedProfilesAnnotationKey
:
apparmor
.
ProfileRuntimeDefault
,
apparmor
.
DefaultProfileAnnotationKey
:
apparmor
.
ProfileRuntimeDefault
,
apparmor
.
DefaultProfileAnnotationKey
:
apparmor
.
ProfileRuntimeDefault
,
},
},
...
...
test/e2e/node/security_context.go
View file @
e102633a
...
@@ -144,7 +144,7 @@ var _ = SIGDescribe("Security Context [Feature:SecurityContext]", func() {
...
@@ -144,7 +144,7 @@ var _ = SIGDescribe("Security Context [Feature:SecurityContext]", func() {
// TODO: port to SecurityContext as soon as seccomp is out of alpha
// TODO: port to SecurityContext as soon as seccomp is out of alpha
pod
:=
scTestPod
(
false
,
false
)
pod
:=
scTestPod
(
false
,
false
)
pod
.
Annotations
[
v1
.
SeccompContainerAnnotationKeyPrefix
+
"test-container"
]
=
"unconfined"
pod
.
Annotations
[
v1
.
SeccompContainerAnnotationKeyPrefix
+
"test-container"
]
=
"unconfined"
pod
.
Annotations
[
v1
.
SeccompPodAnnotationKey
]
=
"docker/default"
pod
.
Annotations
[
v1
.
SeccompPodAnnotationKey
]
=
v1
.
SeccompProfileRuntimeDefault
pod
.
Spec
.
Containers
[
0
]
.
Command
=
[]
string
{
"grep"
,
"ecc"
,
"/proc/self/status"
}
pod
.
Spec
.
Containers
[
0
]
.
Command
=
[]
string
{
"grep"
,
"ecc"
,
"/proc/self/status"
}
f
.
TestContainerOutput
(
v1
.
SeccompPodAnnotationKey
,
pod
,
0
,
[]
string
{
"0"
})
// seccomp disabled
f
.
TestContainerOutput
(
v1
.
SeccompPodAnnotationKey
,
pod
,
0
,
[]
string
{
"0"
})
// seccomp disabled
})
})
...
@@ -157,10 +157,10 @@ var _ = SIGDescribe("Security Context [Feature:SecurityContext]", func() {
...
@@ -157,10 +157,10 @@ var _ = SIGDescribe("Security Context [Feature:SecurityContext]", func() {
f
.
TestContainerOutput
(
v1
.
SeccompPodAnnotationKey
,
pod
,
0
,
[]
string
{
"0"
})
// seccomp disabled
f
.
TestContainerOutput
(
v1
.
SeccompPodAnnotationKey
,
pod
,
0
,
[]
string
{
"0"
})
// seccomp disabled
})
})
It
(
"should support seccomp alpha
docker
/default annotation [Feature:Seccomp]"
,
func
()
{
It
(
"should support seccomp alpha
runtime
/default annotation [Feature:Seccomp]"
,
func
()
{
// TODO: port to SecurityContext as soon as seccomp is out of alpha
// TODO: port to SecurityContext as soon as seccomp is out of alpha
pod
:=
scTestPod
(
false
,
false
)
pod
:=
scTestPod
(
false
,
false
)
pod
.
Annotations
[
v1
.
SeccompContainerAnnotationKeyPrefix
+
"test-container"
]
=
"docker/default"
pod
.
Annotations
[
v1
.
SeccompContainerAnnotationKeyPrefix
+
"test-container"
]
=
v1
.
SeccompProfileRuntimeDefault
pod
.
Spec
.
Containers
[
0
]
.
Command
=
[]
string
{
"grep"
,
"ecc"
,
"/proc/self/status"
}
pod
.
Spec
.
Containers
[
0
]
.
Command
=
[]
string
{
"grep"
,
"ecc"
,
"/proc/self/status"
}
f
.
TestContainerOutput
(
v1
.
SeccompPodAnnotationKey
,
pod
,
0
,
[]
string
{
"2"
})
// seccomp filtered
f
.
TestContainerOutput
(
v1
.
SeccompPodAnnotationKey
,
pod
,
0
,
[]
string
{
"2"
})
// seccomp filtered
})
})
...
...
test/test_owners.csv
View file @
e102633a
...
@@ -449,7 +449,7 @@ Secrets should be consumable via the environment,ixdy,1,apps
...
@@ -449,7 +449,7 @@ Secrets should be consumable via the environment,ixdy,1,apps
Security Context should support container.SecurityContext.RunAsUser,alex-mohr,1,apps
Security Context should support container.SecurityContext.RunAsUser,alex-mohr,1,apps
Security Context should support pod.Spec.SecurityContext.RunAsUser,bgrant0607,1,apps
Security Context should support pod.Spec.SecurityContext.RunAsUser,bgrant0607,1,apps
Security Context should support pod.Spec.SecurityContext.SupplementalGroups,rrati,0,apps
Security Context should support pod.Spec.SecurityContext.SupplementalGroups,rrati,0,apps
Security Context should support seccomp alpha
docker
/default annotation,freehan,1,apps
Security Context should support seccomp alpha
runtime
/default annotation,freehan,1,apps
Security Context should support seccomp alpha unconfined annotation on the container,childsb,1,apps
Security Context should support seccomp alpha unconfined annotation on the container,childsb,1,apps
Security Context should support seccomp alpha unconfined annotation on the pod,krousey,1,apps
Security Context should support seccomp alpha unconfined annotation on the pod,krousey,1,apps
Security Context should support seccomp default which is unconfined,lavalamp,1,apps
Security Context should support seccomp default which is unconfined,lavalamp,1,apps
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment