Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add SecCompCustomProfileConfigMap for system-probe #73

Merged
merged 2 commits into from
Apr 17, 2020
Merged

Add SecCompCustomProfileConfigMap for system-probe #73

merged 2 commits into from
Apr 17, 2020

Conversation

L3n41c
Copy link
Member

@L3n41c L3n41c commented Apr 9, 2020

What does this PR do?

Add SecCompCustomProfileConfigMap for system-probe.

Motivation

Implement the following behaviours regarding the seccomp profile for system-probe:

(“ConfigMap” is a shortcut for “the ConfigMap containing the seccomp profile for system-probe.
“init container” is a shortcut for “the init container that copies the seccomp profile from the ConfigMap to the host.)

  • Let the operator use its own seccomp profile:
    • create a ConfigMap
    • use an init container to copy its content to the hosts.
    • systemProbe:
  enabled: true
  • Make system-probe use the default seccomp profile:
    • do not create the ConfigMap
    • do not create the init container
    • systemProbe:
  enabled: true
  secCompProfileName: runtime/default
  • Make system-probe use a seccomp profile that is already available on the hosts (in /var/lib/kubelet/seccomp/my_custom_profile)
    • do not create the ConfigMap
    • do not create the init container
    • systemProbe:
  enabled: true
  secCompProfileName: localhost/my_custom_profile
  • Make system-probe use a seccomp profile provided in a user-supplied ConfigMap.
    • do not create the ConfigMap. The user has to create one beforehand.
    • use an init container to copy the content of the user provided ConfigMap to the hosts.
    • systemProbe:
  enabled: true
  secCompCustomProfileConfigMap: lenaic-system-probe-seccomp

Additional Notes

Anything else we should know when reviewing?

@L3n41c L3n41c requested a review from a team as a code owner April 9, 2020 13:01
clamoriniere
clamoriniere reviewed Apr 9, 2020
View reviewed changes
Copy link
Collaborator

@clamoriniere clamoriniere left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Small comment
Could you try to add a unit-test or e2e test?

@L3n41c @clamoriniere
Update pkg/apis/datadoghq/v1alpha1/datadogagent_types.go
a144e0e 
Co-Authored-By: Cedric Lamoriniere <cedric.lamoriniere@datadoghq.com>
@clamoriniere clamoriniere merged commit 17f2aec into master Apr 17, 2020
@clamoriniere clamoriniere deleted the lenaic/add_custom_seccomp_profile branch April 17, 2020 07:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@clamoriniere clamoriniere clamoriniere approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@L3n41c @clamoriniere