New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable --seccomp-use-default-when-empty
by default
#5587
Enable --seccomp-use-default-when-empty
by default
#5587
Conversation
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: saschagrunert The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
90d7d31
to
f545f4d
Compare
Codecov Report
@@ Coverage Diff @@
## main #5587 +/- ##
==========================================
+ Coverage 43.22% 43.25% +0.03%
==========================================
Files 123 123
Lines 12296 12225 -71
==========================================
- Hits 5315 5288 -27
+ Misses 6471 6430 -41
+ Partials 510 507 -3 |
building on this, I've pushed a commit that adds a minimal seccomp profile that only blocks unshare. Possibly, we can extend it to the other syscalls in the default profile that require cap_sys_admin. This is to test whether the openshift tests still fail with a minimal profile |
1f21a1c
to
8fe261a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
assuming happy tests
/retest-required |
ec92028
to
c14b59a
Compare
Fixed the critest suite by disabling the feature for them. I assume we have to fix this one |
/test e2e-agnostic |
/test e2e_rhel |
c14b59a
to
420dfee
Compare
openshift tests pass! I'm going to progressively try to extend the seccomp default to see what is breaking openshift tests |
4d61a0c
to
11b0cc5
Compare
@haircommander two pods (dns and metrics scraper) seem to fail in the e2e tests. I'm going to gather the audit logs from the nodes, let's see if that works. Does not seem to work, since /var/log/audit/audit.log is not available on the nodes:
|
7119f74
to
4a78504
Compare
This is a premature step before the graduation of the `seccompDefault` feature planned for Kubernetes v1.25. We now use the `runtime/default` profile for every workload specifying none (empty) in the pod manifest. Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
315d9e9
to
ea39e74
Compare
/retest-required |
/retest |
@saschagrunert it seems the kata-jenkins job is failing on the test you modified:
We are skipping several of these tests for Kata, and I realize this one should be skipped too - your modification is not introducing a bug, it's revealing a known issue. I will modify the kata test script to skip this additional test for now. |
Thank you! |
/test kata-containers |
/test integration_fedora |
@haircommander PTAL |
/lgtm 🎉 I know we aren't often in the blog writing business, but we should probably write a blog describing the change and what folks can do if their containers suddenly hit EPERM |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/test e2e-gcp |
that may not be a flake |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
1 similar comment
/retest-required Please review the full test history for this PR and help us cut down flakes. |
Unless my eyes are crossing from too many reviews today, I believe this is showing happy green test buttons.... |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
2 similar comments
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
We switched the option `seccomp_use_default_when_empty` to `true` in upstream which break critest. To avoid such a failure in CI we now set it manually to `false`. Follow-up on: cri-o/cri-o#5587 Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
What type of PR is this?
/kind feature
What this PR does / why we need it:
This is a premature step before the graduation of the
seccompDefault
feature planned for Kubernetes v1.25. We now use the
runtime/default
profile for every workload specifying none (empty) in the pod manifest.
Which issue(s) this PR fixes:
None
Special notes for your reviewer:
None
Does this PR introduce a user-facing change?