Enable --seccomp-use-default-when-empty by default

[saschagrunert]

What type of PR is this?

/kind feature

What this PR does / why we need it:

This is a premature step before the graduation of the seccompDefault
feature planned for Kubernetes v1.25. We now use the runtime/default
profile for every workload specifying none (empty) in the pod manifest.

Which issue(s) this PR fixes:

None

Special notes for your reviewer:

None

Does this PR introduce a user-facing change?

Enable `--seccomp-use-default-when-empty`/`seccomp_use_default_when_empty` by default.
This is a premature step before the graduation of the `seccompDefault` feature planned for
Kubernetes v1.25. We now use the `runtime/default` profile for every workload specifying 
none (empty) in the pod manifest. 

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: saschagrunert

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [saschagrunert]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[codecov]

Codecov Report

Merging #5587 (ef99de3) into main (c4c89c6) will increase coverage by 0.03%.
The diff coverage is 84.61%.

❗ Current head ef99de3 differs from pull request most recent head ea39e74. Consider uploading reports for the commit ea39e74 to get more accurate results

@@            Coverage Diff             @@
##             main    #5587      +/-   ##
==========================================
+ Coverage   43.22%   43.25%   +0.03%     
==========================================
  Files         123      123              
  Lines       12296    12225      -71     
==========================================
- Hits         5315     5288      -27     
+ Misses       6471     6430      -41     
+ Partials      510      507       -3     

[saschagrunert]

Okay this was expected:

[haircommander]

building on this, I've pushed a commit that adds a minimal seccomp profile that only blocks unshare. Possibly, we can extend it to the other syscalls in the default profile that require cap_sys_admin. This is to test whether the openshift tests still fail with a minimal profile

[TomSweeneyRedHat]

LGTM
assuming happy tests

[saschagrunert]

/retest-required

[saschagrunert]

Fixed the critest suite by disabling the feature for them. I assume we have to fix this one critest with the graduation of the SeccompDefault feature in any case.

[saschagrunert]

/test e2e-agnostic

[saschagrunert]

/test e2e_rhel

[haircommander]

openshift tests pass! I'm going to progressively try to extend the seccomp default to see what is breaking openshift tests

[saschagrunert]

@haircommander two pods (dns and metrics scraper) seem to fail in the e2e tests. I'm going to gather the audit logs from the nodes, let's see if that works.

Does not seem to work, since /var/log/audit/audit.log is not available on the nodes:

TASK [Gather audit logs] *******************************************************
task path: /go/src/github.com/cri-o/cri-o/contrib/test/integration/e2e.yml:61
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: If you are using a module and expect the file to exist on the remote, see the remote_src option
fatal: [localhost]: FAILED! => {"changed": false, "msg": "Could not find or access '/var/log/audit/audit.log' on the Ansible Controller.\nIf you are using a module and expect the file to exist on the remote, see the remote_src option"}

[saschagrunert]

/retest-required

[saschagrunert]

/retest

[littlejawa]

@saschagrunert it seems the kata-jenkins job is failing on the test you modified:

11:04:23 not ok 86 ctr seccomp profiles runtime/default by empty field
11:04:23 # (in test file ctr_seccomp_kata_integration_tests.bats, line 55)
11:04:23 #   `[ "$status" -ne 0 ]' failed

We are skipping several of these tests for Kata, and I realize this one should be skipped too - your modification is not introducing a bug, it's revealing a known issue.

I will modify the kata test script to skip this additional test for now.
Please ignore this failure on this PR.

[saschagrunert]

I will modify the kata test script to skip this additional test for now. Please ignore this failure on this PR.

Thank you!

[littlejawa]

/test kata-containers

[saschagrunert]

/test integration_fedora
/test integration_rhel

[saschagrunert]

@haircommander PTAL

[haircommander]

/lgtm

🎉 I know we aren't often in the blog writing business, but we should probably write a blog describing the change and what folks can do if their containers suddenly hit EPERM

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[saschagrunert]

/test e2e-gcp

[haircommander]

that may not be a flake
/retest

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[TomSweeneyRedHat]

Unless my eyes are crossing from too many reviews today, I believe this is showing happy green test buttons....

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.