Thanks to visit codestin.com
Credit goes to github.com

Support CRI seccomp security profiles #4358

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Merged

openshift-merge-robot merged 1 commit into cri-o:master from saschagrunert:cri-security-profile

Mar 5, 2021

Member

saschagrunert commented Nov 9, 2020 •

edited

Loading

What type of PR is this?

/kind feature

What this PR does / why we need it:

We now add support for seccomp security profiles within the CRI. We still support the deprecated code paths until the field is not available any more.

AppArmor support will follow later on.

Which issue(s) this PR fixes:

None

Special notes for your reviewer:

None

Does this PR introduce a user-facing change?

Support Container Runtime Interface (CRI) security profiles for seccomp, which has been introduced with Kubernetes v1.20.0 and the graduation of the CRI.

saschagrunert requested review from mrunalp and runcom as code owners

November 9, 2020 10:39

openshift-ci-robot added release-note dco-signoff: yes kind/feature labels

openshift-ci-robot requested review from rhatdan and vrothberg

November 9, 2020 10:39

openshift-ci-robot added the approved label

codecov bot commented Nov 9, 2020 •

edited

Loading

Codecov Report

Merging #4358 (04240b5) into master (4485573) will increase coverage by 0.18%.
The diff coverage is 41.75%.

@@            Coverage Diff             @@
##           master    #4358      +/-   ##
==========================================
+ Coverage   40.45%   40.64%   +0.18%     
==========================================
  Files         110      110              
  Lines        9443     9493      +50     
==========================================
+ Hits         3820     3858      +38     
- Misses       5191     5193       +2     
- Partials      432      442      +10

saschagrunert force-pushed the cri-security-profile branch 2 times, most recently from ca999f2 to 770a10b Compare

November 9, 2020 11:39

Member Author

saschagrunert commented Nov 9, 2020

/retest

1 similar comment

Member Author

saschagrunert commented Nov 9, 2020

/retest

saschagrunert force-pushed the cri-security-profile branch from 770a10b to 0d8cf97 Compare

November 9, 2020 14:22

Contributor

TomSweeneyRedHat commented Nov 9, 2020

LGTM
assuming happy tests

Member Author

saschagrunert commented Nov 10, 2020

/retest

mrunalp reviewed

View reviewed changes

server/container_create.go Outdated Show resolved Hide resolved

mrunalp reviewed

View reviewed changes

server/container_create.go Outdated Show resolved Hide resolved

saschagrunert force-pushed the cri-security-profile branch from 0d8cf97 to 99e9c61 Compare

November 11, 2020 08:16

saschagrunert mentioned this pull request

vendor: bump containers/storage to v1.24.0 #4334

Merged

mrunalp approved these changes

View reviewed changes

Member

mrunalp commented Nov 11, 2020

/lgtm

openshift-ci-robot commented Nov 11, 2020

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mrunalp, saschagrunert

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [mrunalp,saschagrunert]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

openshift-ci-robot assigned mrunalp

openshift-ci-robot added the lgtm label

Member

mrunalp commented Nov 11, 2020

/retest

Member

mrunalp commented Nov 12, 2020

/test e2e-aws

Member Author

saschagrunert commented Nov 12, 2020

/retest

1 similar comment

Member

umohnani8 commented Nov 13, 2020

/retest

Member

umohnani8 commented Nov 13, 2020 •

edited

Loading

Looks like bootstrap failed due to service quota, will hit retest in a bit again.

Member Author

saschagrunert commented Jan 18, 2021

/retest

Member Author

saschagrunert commented Jan 18, 2021

/test integration_cgroupv2

Member

haircommander commented Jan 20, 2021

/retest

2 similar comments

Member Author

saschagrunert commented Jan 21, 2021

/retest

Member

haircommander commented Jan 21, 2021

/retest

openshift-bot commented Mar 5, 2021

/retest

Please review the full test history for this PR and help us cut down flakes.

8 similar comments

openshift-bot commented Mar 5, 2021

/retest

Please review the full test history for this PR and help us cut down flakes.

openshift-bot commented Mar 5, 2021

/retest

Please review the full test history for this PR and help us cut down flakes.

openshift-bot commented Mar 5, 2021

/retest

Please review the full test history for this PR and help us cut down flakes.

openshift-bot commented Mar 5, 2021

/retest

Please review the full test history for this PR and help us cut down flakes.

openshift-bot commented Mar 5, 2021

/retest

Please review the full test history for this PR and help us cut down flakes.

openshift-bot commented Mar 5, 2021

/retest

Please review the full test history for this PR and help us cut down flakes.

openshift-bot commented Mar 5, 2021

/retest

Please review the full test history for this PR and help us cut down flakes.

openshift-bot commented Mar 5, 2021

/retest

Please review the full test history for this PR and help us cut down flakes.


          Support CRI seccomp security profiles

af4786b

We now add support for seccomp profiles within the CRI. We still support
the deprecated code paths until the field is not available any more.

AppArmor support will follow later on.

Signed-off-by: Sascha Grunert <[email protected]>

saschagrunert force-pushed the cri-security-profile branch from a4b4d6f to af4786b Compare

March 5, 2021 08:22

openshift-ci-robot removed the lgtm label

Member Author

saschagrunert commented Mar 5, 2021

Had to give this one a rebase.

Member Author

saschagrunert commented Mar 5, 2021

/test critest_fedora

Member

haircommander commented Mar 5, 2021

/lgtm

openshift-ci-robot added the lgtm label

Member

haircommander commented Mar 5, 2021

/override ci/kata-jenkins

openshift-ci-robot commented Mar 5, 2021

@haircommander: Overrode contexts on behalf of haircommander: ci/kata-jenkins

Details

In response to this:

/override ci/kata-jenkins

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

openshift-ci-robot commented Mar 5, 2021

@saschagrunert: The following test failed, say /retest to rerun all failed tests:

Test name	Commit	Details	Rerun command
ci/kata-jenkins	`af4786b`	link	`/test kata-containers`

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

Member

haircommander commented Mar 5, 2021

/test integration_crun
/override ci/kata-jenkins

openshift-ci-robot commented Mar 5, 2021

@haircommander: Overrode contexts on behalf of haircommander: ci/kata-jenkins

Details

In response to this:

/test integration_crun
/override ci/kata-jenkins

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Contributor

openshift-ci bot commented Mar 5, 2021 •

edited

Loading

@saschagrunert: The following tests failed, say /retest to rerun all failed tests:

Test name	Commit	Details	Rerun command
ci/prow/e2e-gcp	`af4786b`	link	`/test e2e-gcp`
ci/prow/e2e-agnostic	`af4786b`	link	`/test e2e-agnostic`
ci/openshift-jenkins/integration_crun_cgroupv2	`af4786b`	link	`/test integration_cgroupv2`

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

openshift-merge-robot merged commit c61c691 into cri-o:master

saschagrunert deleted the cri-security-profile branch

March 5, 2021 18:11

fidencio mentioned this pull request

Kata Containers can't be created due to strict checks done when seccomp is disabled #4627

Closed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved dco-signoff: yes kind/feature lgtm release-note