New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
introduce seccomp override empty #4212
introduce seccomp override empty #4212
Conversation
Codecov Report
@@ Coverage Diff @@
## master #4212 +/- ##
==========================================
- Coverage 38.59% 38.53% -0.06%
==========================================
Files 111 111
Lines 8893 8906 +13
==========================================
Hits 3432 3432
- Misses 5077 5089 +12
- Partials 384 385 +1 |
e6bcc06
to
2717272
Compare
2717272
to
97eff81
Compare
97eff81
to
20cb433
Compare
dropped the WIP commits, added an integration test |
/retest |
b6c66ac
to
3ad839b
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we have a chance to change the default in Kubernetes when graduating the CRI?
Possibly, when is seccomp going to be GA? possibly then as well. The issue is, unless either of those make 1.20 and also update the default, users won't get it for a while. If upstream k8s changes the default, we can go to that and drop this option. Until then, I think it's something admins should be given the choice for |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Perpaps something like this instead?
--seccomp-empty=[unconfined|default]
Changes the meaning of an empty seccomp profile. By default
(and according to CRI spec), empty profile means unconfined.
This option allows to treat an empty profile as default profile,
which might increase security.
Overall, though, it's too complicated (== semantically overloaded) either way (yours or mine).
OK, one more alternative is boolean's |
what about |
I like this verbiage, but it's pretty verbose for help text, I'll add it to the config text though |
f8308ed
to
4076033
Compare
right now, the CRI defaults to an unconfined profile when it's set to empty. However, it's possible admins want the behavior to default to the default profile instead. Add a knob to allow admins to override the empty behavior from unconfined to the default. Note, when set this technically makes CRI-O not CRI compliant, but for increased security, it's worth it. Signed-off-by: Peter Hunt <pehunt@redhat.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The test case needs a revamp but AFAIK @wgahnagl is working on this one, so she can cover this, too.
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: haircommander, kolyshkin, mrunalp, saschagrunert The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/lgtm |
What type of PR is this?
/kind feature
What this PR does / why we need it:
right now, the CRI defaults to an unconfined profile when it's set to empty
However, it's possible admins want the behavior to default to the default profile instead.
add a knob to allow admins to override the empty behavior from unconfined to the default
Note, when set this technically makes CRI-O not CRI compliant, but for increased security, it's worth it.
Which issue(s) this PR fixes:
Special notes for your reviewer:
Does this PR introduce a user-facing change?