Bug 1379761 moved and edited seccomp info

[bfallonf]

Followup to #2975

@pweil- I moved the seccomp info to the admin guide, and put the Examples section more into the Configuring section, but kept the Custom Profile stuff on the outside. WDYT?

I do have some questions on areas I think can be elaborated on though. I'll put them inline. Thanks!

[bfallonf]

@pweil- I'm not sure what the above are. Why are we configuring pods here? Is this something you have to configure before you can go through the tasks below?

[pweil-]

both of the annotations belong at the pod level.

[bfallonf]

Should this be inside the topics below first? Or would this be more at home in something like a "Enabling Seccomp" section instead of a admonition?

[pweil-]

Since this is not related to OpenShift and is more about the operating system I called it out separately. I could see it going in the section below if you'd prefer it there.

[bfallonf]

The above was taken over from the Examples section, but now I think I've confused it all. Is it that the file exists by default? Or is it that you have to take the file from the example inline above, so that you don't have to create it? Sorry if this is a confusing question...

[pweil-]

If you are using runtime/default it is built into the container runtime (ie docker) and doesn't require a file on the node.

[bfallonf]

I'm not sure what the above is saying. Are they example profiles? can they be substituted into the step below this one?

[pweil-]

these are the allowable formats of the annotation values. runtime/default is the container runtime's default, built-in profile and doesn't require a file. unconfined is turning off seccomp and doesn't require a file. localhost/<name> is pointing to a specific file on the node. The localhost portion tells the system that it is, in fact, a file that needs read and the name corresponds to the actual file name that would be stored in the seccomp profile root that was configured on the kubelet.

[bfallonf]

Please let me know if anything below is incorrect.

[pweil-]

this would be the localhost/<name> option if you wanted to use a custom profile. If you're just using the runtime/default you would not need to set the seccomp-profile-root.

[pweil-]

this should be done after the kubelet args are changed. They just need to restart the node service(s), not the whole host.

[bfallonf]

@pweil- Thanks for the prompt comments. I've made the changes I think need to happen and that you've suggested, but kept some of them because your comments helped them make sense to me.

Could I ask for a final ack that all is well with the topic? Then I can move it to review. Thanks!

[pweil-]

This is a duplicate step of configuring the restricted SCC

[bfallonf]

@pweil- So should i delete this step in favour of the above one?

[pweil-]

Well, reading this a bit closer I think the examples are just in the wrong spot. Here is what I see:

1. create a profile in the seccomp-profile-root
   1. example of configuring the root
2. configure the root
   1. example of configuring SCC
3. restart node
4. example restart
5. configure the SCC
   1. example SCC

I think you just need to move lines 115-119 to replace 123-126 and then we're good.

[pweil-]

LGTM

[bfallonf]

Thanks, @pweil-

@ahardin-rh @adellape @tpoitras Should be ok to peer review now if anyone wants. Just got one thing to sort out above.

[bfallonf]

@pweil- I made change to what i think you suggested. Please let me know if I'm wrong.

@ahardin-rh @tpoitras @adellape totally ready for peer review.

Thanks, everybody.

[pweil-]

I made change to what i think you suggested. Please let me know if I'm wrong.

@bfallonf - here is what I would suggest. Everything looks good except for the example of creating a profile in the root which I think can be removed. It's a file on the host machines:

To ensure pods in your cluster run with a custom profile in the *restricted* SCC:

. Create the seccomp profile in *seccomp-profile-root* on all nodes:
+

. Configure *seccomp-profile-root*:
+
----
kubeletArguments:
  seccomp-profile-root:
    - "/your/path"
----

. Restart node service to apply the changes:

ifdef::openshift-enterprise[]
----
# systemctl restart atomic-openshift-node
----
endif::[]
ifdef::openshift-origin[]
----
# systemctl restart origin-node
----
endif::[]

* Configure the *restricted* SCC:
+
----
seccompProfiles:
- localhost/<profile-name>
----

[ahardin-rh]

What does alpha support mean? Is it the same thing as Technology Preview?

[bfallonf]

Paul made a comment below that tech preview works.

[ahardin-rh]

@bfallonf just one comment from me ⭐

[tpoitras]

Is this a sufficient title? Should you use the long form of "Secure Computing Mode"?

[bfallonf]

Hmm I'd changed to a better title already. Maybe I didn't push.

[tpoitras]

I'm assuming "alpha" here means "pre-beta", but should you quantify what the risks/ramifications are?

[pweil-]

Alpha should be defined as https://github.com/openshift/origin#alpha-and-unsupported-kubernetes-features

[nak3]

@pweil- What's the policy of RH? Does it mean technical preview?

The feature may have significant bugs and is suitable for testing and prototyping.

It looks like not production ready feature.

[pweil-]

yes, tech preview

[nak3]

I see. Thank you!

[tpoitras]

Maybe the first instance you could say something like "Secure computing mode, or seccomp, is used to..."

[tpoitras]

s/calls applications/calls that applications

[tpoitras]

Not sure you need the "are" here.

[tpoitras]

comma after "system"?
Maybe not, I tend to over-use the comma.

[tpoitras]

s/json/JSON
or
s/json/.json

[tpoitras]

what is a "syscall"? Is this defined elsewhere?

[bfallonf]

From what I know, it's a linux thing...

[tpoitras]

s/in many cases, the cluster/in many cases. The cluster...

^ This should be two separate sentences, no?

[tpoitras]

allowing cluster administrators

[tpoitras]

This definition from "A seccomp profile" to the end of this step does not belong inside the procedure. It should be preamble under the section heading.

[vikram-redhat]

Sorry @adellape - I haven't had the chance to look at this today (10/31). Will look at this tomorrow in detail.

[adellape]

Removed enterprise-3.3 branch because it's been picked/published there already. Added dedicated-3.3 + online + to_followup labels and moved to the Next Release milestone for further conditionalizing for Dedicated/Online.