play kube should honor container.seccomp.security.alpha.kubernetes.io

[AkihiroSuda]

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

Not sure /kind bug or /kind feature.
Probably /kind feature.

Description

play kube should honor container.seccomp.security.alpha.kubernetes.io
And also container.apparmor.security.beta.kubernetes.io

Steps to reproduce the issue:

Play-kube the following yaml

apiVersion: v1
kind: Pod
metadata:
  name: bk
  annotations:
    container.apparmor.security.beta.kubernetes.io/bk: unconfined
    container.seccomp.security.alpha.kubernetes.io/bk: unconfined
spec:
  containers:
  - name: bk
    image: moby/buildkit:master-rootless
    imagePullPolicy: Always
    args:
    - --oci-worker-no-process-sandbox

Describe the results you received:
Doesn't work because seccomp is not unconfined

Describe the results you expected:
seccomp should be unconfined

Additional information you deem important (e.g. issue happens only occasionally):

Output of podman version:

Version:            1.3.0-dev
RemoteAPI Version:  1
Go Version:         go1.12.2
OS/Arch:            linux/amd64

Output of podman info --debug:

debug:
  compiler: gc
  git commit: ""
  go version: go1.12.2
  podman version: 1.3.0-dev
host:
  BuildahVersion: 1.8-dev
  Conmon:
    package: podman-1.3.0-21.dev.gitb01fdcb.fc31.x86_64
    path: /usr/libexec/podman/conmon
    version: 'conmon version 1.12.0-dev, commit: 3c163e4635ea7ed15cde0814e3bbf87fb759ee25'
  Distribution:
    distribution: fedora
    version: "31"
  MemFree: 1470832640
  MemTotal: 4108623872
  OCIRuntime:
    package: runc-1.0.0-92.dev.gitc1b8c57.fc31.x86_64
    path: /usr/bin/runc
    version: |-
      runc version 1.0.0-rc7+dev
      commit: 82c0db510c11ff6ea97d86b5a4f441d8b5376a84
      spec: 1.0.1-dev
  SwapFree: 2109730816
  SwapTotal: 2147479552
  arch: amd64
  cpus: 2
  hostname: fb4099539e47
  kernel: 5.0.0-13-generic
  os: linux
  rootless: false
  uptime: 22h 37m 52.75s (Approximately 0.92 days)
insecure registries:
  registries: []
registries:
  registries:
  - docker.io
  - registry.fedoraproject.org
  - quay.io
  - registry.access.redhat.com
  - registry.centos.org
store:
  ConfigFile: /etc/containers/storage.conf
  ContainerStore:
    number: 2
  GraphDriverName: vfs
  GraphOptions:
  - overlay.mountopt=nodev
  GraphRoot: /var/lib/containers/storage
  GraphStatus: {}
  ImageStore:
    number: 2
  RunRoot: /var/run/containers/storage
  VolumePath: /var/lib/containers/storage/volumes

Additional environment details (AWS, VirtualBox, physical, etc.):

[vrothberg]

Hi @AkihiroSuda, thanks for opening the issue! @baude, I also added the good first issue label. I think it's a nice task for interns.

[rhatdan]

@weirdwiz Any progress on this?

[weirdwiz]

There was a failure in podman play when I started working on this, after that I couldn't get a chance to work on this. I shall look into this again.

[rhatdan]

@haircommander PTAL

[rhatdan]

@haircommander Any progress?

[github-actions]

This issue had no activity for 30 days. In the absence of activity or the "do-not-close" label, the issue will be automatically closed within 7 days.

[TomSweeneyRedHat]

Just going to add a comment as this would be a nice to have.

[rhatdan]

Yes, I think I will go through some of these play kube issues and implement them.