introduce seccomp override empty

[haircommander]

What type of PR is this?

/kind feature

/kind flake

What this PR does / why we need it:

right now, the CRI defaults to an unconfined profile when it's set to empty
However, it's possible admins want the behavior to default to the default profile instead.

add a knob to allow admins to override the empty behavior from unconfined to the default
Note, when set this technically makes CRI-O not CRI compliant, but for increased security, it's worth it.

Which issue(s) this PR fixes:

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Add option `seccomp_override_empty` to override an unspecified seccomp profile from being unconfined to being the runtime default. Note: setting this option makes CRI-O not fully CRI compliant, but does increase security. 

[codecov]

Codecov Report

Merging #4212 into master will decrease coverage by 0.05%.
The diff coverage is 0.00%.

@@            Coverage Diff             @@
##           master    #4212      +/-   ##
==========================================
- Coverage   38.59%   38.53%   -0.06%     
==========================================
  Files         111      111              
  Lines        8893     8906      +13     
==========================================
  Hits         3432     3432              
- Misses       5077     5089      +12     
- Partials      384      385       +1     

[haircommander]

dropped the WIP commits, added an integration test

[haircommander]

/retest

[saschagrunert]

Do we have a chance to change the default in Kubernetes when graduating the CRI?

[haircommander]

Do we have a chance to change the default in Kubernetes when graduating the CRI?

Possibly, when is seccomp going to be GA? possibly then as well. The issue is, unless either of those make 1.20 and also update the default, users won't get it for a while. If upstream k8s changes the default, we can go to that and drop this option. Until then, I think it's something admins should be given the choice for

[kolyshkin]

Perpaps something like this instead?

--seccomp-empty=[unconfined|default]

Changes the meaning of an empty seccomp profile. By default
(and according to CRI spec), empty profile means unconfined.
This option allows to treat an empty profile as default profile,
which might increase security.

Overall, though, it's too complicated (== semantically overloaded) either way (yours or mine).

[kolyshkin]

OK, one more alternative is boolean's --seccomp-treat-empty-as-default, which makes more sense for bool but it's still somewhat cumbersome.

[haircommander]

what about --seccomp-use-default-when-empty still verbose but definitely a clear boolean value

[haircommander]

Perpaps something like this instead?

--seccomp-empty=[unconfined|default]

Changes the meaning of an empty seccomp profile. By default
(and according to CRI spec), empty profile means unconfined.
This option allows to treat an empty profile as default profile,
which might increase security.

Overall, though, it's too complicated (== semantically overloaded) either way (yours or mine).

I like this verbiage, but it's pretty verbose for help text, I'll add it to the config text though

[saschagrunert]

LGTM

[kolyshkin]

The test case needs a revamp but AFAIK @wgahnagl is working on this one, so she can cover this, too.

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: haircommander, kolyshkin, mrunalp, saschagrunert

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [haircommander,mrunalp,saschagrunert]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[mrunalp]

/lgtm