Thanks to visit codestin.com
Credit goes to github.com

Skip to content

runtime/default Seccomp Profile in kubeadm control-plane components. #100234

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 10, 2021
Merged

runtime/default Seccomp Profile in kubeadm control-plane components. #100234

merged 1 commit into from
May 10, 2021

Conversation

vinayakankugoyal
Copy link
Contributor

@vinayakankugoyal vinayakankugoyal commented Mar 15, 2021
edited
Loading

What type of PR is this?

/kind feature

What this PR does / why we need it:

This PR sets the seccomp profile for the control-plane components in kubeadm to runtime/default. Seccomp (secure computing mode) is used to restrict the set of system calls applications can make. Most container runtimes provide a sane set of default syscalls that are allowed or not. The defaults can easily be applied in Kubernetes by using the runtime/default annotation or setting the seccomp type in the security context of a pod or container to RuntimeDefault.

How tested:

Please note I had to build kind from source, which is requirement for 1.21+ See this slack thread.

  1. Created node image using kind
kind build node-image
  1. Created a cluster using kind
kind create cluster --image kindest/node:latest -v 9
  1. exec into the kind control-plane container
docker exec -it kind-control-plane /bin/bash
  1. Made sure all pods are running
root@kind-control-plane:/# crictl ps -a
CONTAINER           IMAGE               CREATED             STATE               NAME                      ATTEMPT             POD ID
0078ac2264106       d1f2268f5826f       7 seconds ago       Running             etcd                      0                   1b82c448c20a7
12007debf3274       0431819786ed2       7 seconds ago       Running             kube-apiserver            0                   4cfb27d550ee0
c054be4fc20f5       b1855751337b1       7 seconds ago       Running             kube-controller-manager   0                   ff9d4277980ab
991398db24089       51a671880981a       8 seconds ago       Running             kube-scheduler            0                   a05064d6d9dbc
  1. Made sure all Pods have the seccompProfile
root@kind-control-plane:/# grep seccomp -C 2 /etc/kubernetes/manifests/*.yaml
/etc/kubernetes/manifests/etcd.yaml-  priorityClassName: system-node-critical
/etc/kubernetes/manifests/etcd.yaml-  securityContext:
/etc/kubernetes/manifests/etcd.yaml:    seccompProfile:
/etc/kubernetes/manifests/etcd.yaml-      type: RuntimeDefault
/etc/kubernetes/manifests/etcd.yaml-  volumes:
--
/etc/kubernetes/manifests/kube-apiserver.yaml-  priorityClassName: system-node-critical
/etc/kubernetes/manifests/kube-apiserver.yaml-  securityContext:
/etc/kubernetes/manifests/kube-apiserver.yaml:    seccompProfile:
/etc/kubernetes/manifests/kube-apiserver.yaml-      type: RuntimeDefault
/etc/kubernetes/manifests/kube-apiserver.yaml-  volumes:
--
/etc/kubernetes/manifests/kube-controller-manager.yaml-  priorityClassName: system-node-critical
/etc/kubernetes/manifests/kube-controller-manager.yaml-  securityContext:
/etc/kubernetes/manifests/kube-controller-manager.yaml:    seccompProfile:
/etc/kubernetes/manifests/kube-controller-manager.yaml-      type: RuntimeDefault
/etc/kubernetes/manifests/kube-controller-manager.yaml-  volumes:
--
/etc/kubernetes/manifests/kube-scheduler.yaml-  priorityClassName: system-node-critical
/etc/kubernetes/manifests/kube-scheduler.yaml-  securityContext:
/etc/kubernetes/manifests/kube-scheduler.yaml:    seccompProfile:
/etc/kubernetes/manifests/kube-scheduler.yaml-      type: RuntimeDefault
/etc/kubernetes/manifests/kube-scheduler.yaml-  volumes:

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Setting the seccompProfile for these components to runtime/default is safe and we have been doing this in kube-up for a while.

Does this PR introduce a user-facing change?

kubeadm: set the seccompProfile to runtime/default in the PodSecurityContext of the  control-plane components that run as static Pods.

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

[KEP 2568]: https://github.com/kubernetes/enhancements/tree/master/keps/sig-cluster-lifecycle/kubeadm/2568-kubeadm-non-root-control-plane
[KEP Issue]: https://github.com/kubernetes/enhancements/issues/2568

@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. kind/feature Categorizes issue or PR as related to a new feature. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Mar 15, 2021
@k8s-ci-robot
Copy link
Contributor

Hi @vinayakankugoyal. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@vinayakankugoyal vinayakankugoyal changed the title Add seccomp profile runtime default to add control-plane components. Set seccomp profile to runtime default in control-plane components in kubeadm. Mar 15, 2021
@k8s-ci-robot k8s-ci-robot added area/kubeadm sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. and removed do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Mar 15, 2021
@neolit123
Copy link
Member

we are in code-freeze for 1.21.

please link to the k/enhancement issue in the PR description..

xref https://github.com/kubernetes/enhancements/issues/2568

note that normally PRs are created after the KEPs are marked as "implementable".

if you wish to test this locally you can create a kind cluster with a custom built kubeadm binary.
https://kind.sigs.k8s.io/docs/design/node-image/

@vinayakankugoyal
Copy link
Contributor Author

@neolit123 - this is something that I noticed which going through the code, I don't think we need the KEP to make this change, this has been added to all the manifests in #93095. It should be safe to add this. But since we are in code-freeze already we might as well include this in the KEP.

@vinayakankugoyal vinayakankugoyal changed the title Set seccomp profile to runtime default in control-plane components in kubeadm. runtime/default Seccomp Profile in kubeadm control-plane components. Apr 12, 2021
@k8s-ci-robot k8s-ci-robot added size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. release-note-none Denotes a PR that doesn't merit a release note. labels May 7, 2021
@vinayakankugoyal
Copy link
Contributor Author

@neolit123 - now that the KEP is merged and is marked implementable. PTAL. Thanks!

@vinayakankugoyal
Copy link
Contributor Author

vinayakankugoyal commented May 7, 2021
edited
Loading

/sig security

@k8s-ci-robot k8s-ci-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels May 7, 2021
neolit123
neolit123 reviewed May 10, 2021
View reviewed changes
Copy link
Member

@neolit123 neolit123 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/triage accepted
/priority important-soon
/ok-to-test
/milestone v1.22

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. triage/accepted Indicates an issue or PR is ready to be actively worked on. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels May 10, 2021
@k8s-ci-robot k8s-ci-robot added this to the v1.22 milestone May 10, 2021
@k8s-ci-robot k8s-ci-robot removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels May 10, 2021
@neolit123
Copy link
Member

suggestion for a release note change (under "Does this PR introduce a user-facing change?"):

kubeadm: make the control-plane components that run as static Pods set the seccompProfile to runtime/default in their PodSecurityContext.

@neolit123 neolit123 mentioned this pull request May 10, 2021
Open
16 tasks
@vinayakankugoyal
Copy link
Contributor Author

suggestion for a release note change (under "Does this PR introduce a user-facing change?"):

kubeadm: make the control-plane components that run as static Pods set the seccompProfile to runtime/default in their PodSecurityContext.

Updated, PTAL. Thanks for reviewing!

@neolit123
Copy link
Member

neolit123 commented May 10, 2021
edited
Loading

we assumed on the KEP that this would not break existing users, related to setup of their hosts.
those patching the manifests using --experimental-patches should see a NO-OP if the context is already set to the same value, or their value "should" override the default/value. i'm saying "should" as i have not tested all patch format variants.

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label May 10, 2021
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: neolit123, vinayakankugoyal

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 10, 2021
@k8s-ci-robot k8s-ci-robot merged commit 365ed5c into kubernetes:master May 10, 2021
@github-actions github-actions bot mentioned this pull request May 11, 2021
Open
@vinayakankugoyal vinayakankugoyal mentioned this pull request May 13, 2021
Open
18 tasks
@vinayakankugoyal vinayakankugoyal mentioned this pull request Jun 3, 2021
Closed
6 tasks
@neolit123 neolit123 mentioned this pull request Dec 11, 2021
Closed
@neolit123 neolit123 mentioned this pull request Dec 27, 2021
Closed
@vinayakankugoyal vinayakankugoyal deleted the seccomp branch January 31, 2025 17:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fabriziopandini fabriziopandini Awaiting requested review from fabriziopandini

1 more reviewer

@neolit123 neolit123 neolit123 left review comments

Reviewers whose approvals may not affect merge requirements
Assignees

@neolit123 neolit123

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/kubeadm cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Milestone
v1.22
Development

Successfully merging this pull request may close these issues.
3 participants
@vinayakankugoyal @k8s-ci-robot @neolit123