Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for OCI artifact seccomp profiles #7719

Merged
merged 1 commit into from
Feb 7, 2024
Merged

Add support for OCI artifact seccomp profiles #7719

merged 1 commit into from
Feb 7, 2024

Conversation

saschagrunert
Copy link
Member

@saschagrunert saschagrunert commented Jan 31, 2024
edited
Loading

What type of PR is this?

/kind feature

What this PR does / why we need it:

This feature allows pulling seccomp profiles using OCI artifacts directly within CRI-O.
The new annotation seccomp-profile.kubernetes.cri-o.io can be used to:

  • Use a seccomp profile for a whole container image. This works if if it got build with the annotation, for example: 
    podman build \
  --annotation seccomp-profile.kubernetes.cri-o.io/POD=quay.io/crio/seccomp:v1 \
  -t quay.io/crio/nginx-seccomp .
  • Use a seccomp profile for every container within a pod: 
    apiVersion: v1
kind: Pod
metadata:
  name: pod
  annotations:
    seccomp-profile.kubernetes.cri-o.io/POD: quay.io/crio/seccomp:v1
spec:
  • Use a seccomp profile for a specific container within a pod: 
    apiVersion: v1
kind: Pod
metadata:
  name: pod
  annotations:
    seccomp-profile.kubernetes.cri-o.io/container: quay.io/crio/seccomp:v1
spec:
  containers:
  - name: container
    image:

The profile itself can be pushed into a registry using the ORAS CLI, for example by running:

echo "{}" > config.json
tar cf seccomp.tar seccomp.json
oras push --config config.json:application/vnd.oci.image.config.v1+json quay.io/crio/seccomp:v1 seccomp.tar

The resulting image manifest looks like this:

skopeo inspect --raw docker://quay.io/crio/seccomp:v1 | jq .
{
  "schemaVersion": 2,
  "mediaType": "application/vnd.oci.image.manifest.v1+json",
  "config": {
    "mediaType": "application/vnd.oci.image.config.v1+json",
    "digest": "sha256:ca3d163bab055381827226140568f3bef7eaac187cebd76878e0b63e9e442356",
    "size": 3
  },
  "layers": [
    {
      "mediaType": "application/vnd.oci.image.layer.v1.tar",
      "digest": "sha256:c15f3eb1efd9abe0ae973e050c374988bba52c45a53f5c3cd80419a865013fa6",
      "size": 20480,
      "annotations": {
        "org.opencontainers.image.title": "seccomp.tar"
      }
    }
  ],
  "annotations": {
    "org.opencontainers.image.created": "2024-02-05T11:37:22Z"
  }
}

Authentication with registries during artifact pull is out of scope of this PR.

Which issue(s) this PR fixes:

Fixes #7580

Special notes for your reviewer:

None

Does this PR introduce a user-facing change?

Add support for OCI artifact seccomp profiles using the `seccomp-profile.kubernetes.cri-o.io/<CONTAINER_NAME>` and `seccomp-profile.kubernetes.cri-o.io/POD` annotations on container images or Kubernetes workloads.

@openshift-ci openshift-ci bot added release-note Denotes a PR that will be considered when it comes time to generate release notes. dco-signoff: yes Indicates the PR's author has DCO signed all their commits. kind/feature Categorizes issue or PR as related to a new feature. labels Jan 31, 2024
@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 31, 2024
@saschagrunert
Copy link
Member Author

/retest

@saschagrunert saschagrunert force-pushed the seccomp-oci-artifacts branch 4 times, most recently from e001632 to a86a6f8 Compare February 5, 2024 09:36
@codecov Codecov
Copy link

codecov bot commented Feb 5, 2024
edited
Loading

Codecov Report

Merging #7719 (b20d06c) into main (e9febd3) will increase coverage by 0.09%.
Report is 5 commits behind head on main.
The diff coverage is 71.42%.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #7719      +/-   ##
==========================================
+ Coverage   47.95%   48.05%   +0.09%     
==========================================
  Files         146      148       +2     
  Lines       16274    16339      +65     
==========================================
+ Hits         7804     7851      +47     
- Misses       7517     7532      +15     
- Partials      953      956       +3

@saschagrunert saschagrunert force-pushed the seccomp-oci-artifacts branch 4 times, most recently from 26e81b7 to dafe655 Compare February 5, 2024 11:50
@saschagrunert saschagrunert changed the title PoC: Add support for OCI artifact seccomp profiles Add support for OCI artifact seccomp profiles Feb 5, 2024
@saschagrunert
Copy link
Member Author

I'm going to blog about this, for now it's ready for review.

PTAL @cri-o/cri-o-maintainers

@saschagrunert
Copy link
Member Author

/test ci-fedora-kata

@kwilczynski
Copy link
Member

/approve
/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Feb 5, 2024
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Feb 5, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: kwilczynski, saschagrunert

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@saschagrunert
Copy link
Member Author

/test ci-fedora-kata

@openshift-ci openshift-ci bot removed the lgtm Indicates that a PR is ready to be merged. label Feb 6, 2024
@saschagrunert saschagrunert mentioned this pull request Feb 13, 2024
Merged
saschagrunert added a commit to saschagrunert/website that referenced this pull request Feb 13, 2024
@saschagrunert
Add blog post about CRI-O's seccomp OCI artifact feature
3f39261 
This blog post wraps the efforts around a future CRI-O feature
implemented in PR: cri-o/cri-o#7719

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
saschagrunert added a commit to saschagrunert/website that referenced this pull request Feb 13, 2024
@saschagrunert
Add blog post about CRI-O's seccomp OCI artifact feature
e8599ad 
This blog post wraps the efforts around a future CRI-O feature
implemented in PR: cri-o/cri-o#7719

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
@sftim
Copy link

sftim commented Feb 13, 2024

Eesh. We're still lacking a mapping or documented convention about how the annotations get set on containers when they start out on a Kubernetes Pod (Kubernetes uses a different convention).

I commented on this in https://github.com/kubernetes/website/pull/45121/files#r1487723768

saschagrunert added a commit to saschagrunert/website that referenced this pull request Feb 13, 2024
@saschagrunert
Add blog post about CRI-O's seccomp OCI artifact feature
733608a 
This blog post wraps the efforts around a future CRI-O feature
implemented in PR: cri-o/cri-o#7719

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
saschagrunert added a commit to saschagrunert/website that referenced this pull request Feb 13, 2024
@saschagrunert
Add blog post about CRI-O's seccomp OCI artifact feature
430312c 
This blog post wraps the efforts around a future CRI-O feature
implemented in PR: cri-o/cri-o#7719

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
saschagrunert added a commit to saschagrunert/website that referenced this pull request Feb 13, 2024
@saschagrunert
Add blog post about CRI-O's seccomp OCI artifact feature
b3e92ef 
This blog post wraps the efforts around a future CRI-O feature
implemented in PR: cri-o/cri-o#7719

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
@saschagrunert saschagrunert mentioned this pull request Feb 14, 2024
Merged
saschagrunert added a commit to saschagrunert/website that referenced this pull request Feb 14, 2024
@saschagrunert
Add blog post about CRI-O's seccomp OCI artifact feature
0b19dcf 
This blog post wraps the efforts around a future CRI-O feature
implemented in PR: cri-o/cri-o#7719

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
saschagrunert added a commit to saschagrunert/website that referenced this pull request Feb 19, 2024
@saschagrunert
Add blog post about CRI-O's seccomp OCI artifact feature
0dfd397 
This blog post wraps the efforts around a future CRI-O feature
implemented in PR: cri-o/cri-o#7719

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
saschagrunert added a commit to saschagrunert/website that referenced this pull request Feb 19, 2024
@saschagrunert
Add blog post about CRI-O's seccomp OCI artifact feature
39790e0 
This blog post wraps the efforts around a future CRI-O feature
implemented in PR: cri-o/cri-o#7719

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
saschagrunert added a commit to saschagrunert/website that referenced this pull request Feb 20, 2024
@saschagrunert
Add blog post about CRI-O's seccomp OCI artifact feature
789c78f 
This blog post wraps the efforts around a future CRI-O feature
implemented in PR: cri-o/cri-o#7719

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
saschagrunert added a commit to saschagrunert/website that referenced this pull request Feb 20, 2024
@saschagrunert
Add blog post about CRI-O's seccomp OCI artifact feature
e238c0c 
This blog post wraps the efforts around a future CRI-O feature
implemented in PR: cri-o/cri-o#7719

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
saschagrunert added a commit to saschagrunert/website that referenced this pull request Feb 20, 2024
@saschagrunert
Add blog post about CRI-O's seccomp OCI artifact feature
c1ed36c 
This blog post wraps the efforts around a future CRI-O feature
implemented in PR: cri-o/cri-o#7719

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
saschagrunert added a commit to saschagrunert/website that referenced this pull request Feb 20, 2024
@saschagrunert
Add blog post about CRI-O's seccomp OCI artifact feature
cdac351 
This blog post wraps the efforts around a future CRI-O feature
implemented in PR: cri-o/cri-o#7719

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
saschagrunert added a commit to saschagrunert/website that referenced this pull request Feb 20, 2024
@saschagrunert
Add blog post about CRI-O's seccomp OCI artifact feature
1501e2f 
This blog post wraps the efforts around a future CRI-O feature
implemented in PR: cri-o/cri-o#7719

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
saschagrunert added a commit to saschagrunert/website that referenced this pull request Feb 20, 2024
@saschagrunert
Add blog post about CRI-O's seccomp OCI artifact feature
4e85b41 
This blog post wraps the efforts around a future CRI-O feature
implemented in PR: cri-o/cri-o#7719

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
saschagrunert added a commit to saschagrunert/website that referenced this pull request Feb 20, 2024
@saschagrunert
Add blog post about CRI-O's seccomp OCI artifact feature
08e2574 
This blog post wraps the efforts around a future CRI-O feature
implemented in PR: cri-o/cri-o#7719

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
saschagrunert added a commit to saschagrunert/website that referenced this pull request Feb 20, 2024
@saschagrunert
Add blog post about CRI-O's seccomp OCI artifact feature
7ffc56d 
This blog post wraps the efforts around a future CRI-O feature
implemented in PR: cri-o/cri-o#7719

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
saschagrunert added a commit to saschagrunert/website that referenced this pull request Feb 20, 2024
@saschagrunert
Add blog post about CRI-O's seccomp OCI artifact feature
3b30ffb 
This blog post wraps the efforts around a future CRI-O feature
implemented in PR: cri-o/cri-o#7719

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
@mtrmac mtrmac mentioned this pull request Feb 21, 2024
Closed
saschagrunert added a commit to saschagrunert/website that referenced this pull request Feb 21, 2024
@saschagrunert @sftim
Add blog post about CRI-O's seccomp OCI artifact feature
509d76f 
This blog post wraps the efforts around a future CRI-O feature
implemented in PR: cri-o/cri-o#7719

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
Co-authored-by: Tim Bannister <tim@scalefactory.com>
@mtrmac mtrmac mentioned this pull request Feb 22, 2024
Closed
saschagrunert added a commit to saschagrunert/website that referenced this pull request Feb 27, 2024
@saschagrunert @sftim
Add blog post about CRI-O's seccomp OCI artifact feature
90dc880 
This blog post wraps the efforts around a future CRI-O feature
implemented in PR: cri-o/cri-o#7719

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
Co-authored-by: Tim Bannister <tim@scalefactory.com>
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
saschagrunert added a commit to saschagrunert/website that referenced this pull request Feb 28, 2024
@saschagrunert @sftim
Add blog post about CRI-O's seccomp OCI artifact feature
1162ffb 
This blog post wraps the efforts around a future CRI-O feature
implemented in PR: cri-o/cri-o#7719

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
Co-authored-by: Tim Bannister <tim@scalefactory.com>
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
saschagrunert added a commit to saschagrunert/website that referenced this pull request Feb 28, 2024
@saschagrunert @sftim
Add blog post about CRI-O's seccomp OCI artifact feature
be04763 
This blog post wraps the efforts around a future CRI-O feature
implemented in PR: cri-o/cri-o#7719

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
Co-authored-by: Tim Bannister <tim@scalefactory.com>
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
saschagrunert added a commit to saschagrunert/website that referenced this pull request Feb 28, 2024
@saschagrunert @sftim
Add blog post about CRI-O's seccomp OCI artifact feature
45873bc 
This blog post wraps the efforts around a future CRI-O feature
implemented in PR: cri-o/cri-o#7719

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
Co-authored-by: Tim Bannister <tim@scalefactory.com>
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
@hasan4791 hasan4791 mentioned this pull request Mar 4, 2024
Merged
Andygol pushed a commit to Andygol/k8s-website that referenced this pull request Mar 12, 2024
@saschagrunert @sftim @Andygol
Add blog post about CRI-O's seccomp OCI artifact feature
23ad1b8 
This blog post wraps the efforts around a future CRI-O feature
implemented in PR: cri-o/cri-o#7719

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
Co-authored-by: Tim Bannister <tim@scalefactory.com>
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
@MaksimKlepikov MaksimKlepikov mentioned this pull request Sep 30, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sohankunkerkar sohankunkerkar sohankunkerkar left review comments

@haircommander haircommander haircommander left review comments

@mrunalp mrunalp Awaiting requested review from mrunalp mrunalp is a code owner

@kwilczynski kwilczynski Awaiting requested review from kwilczynski

@wgahnagl wgahnagl Awaiting requested review from wgahnagl

Assignees

@kwilczynski kwilczynski

@sohankunkerkar sohankunkerkar

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates the PR's author has DCO signed all their commits. kind/feature Categorizes issue or PR as related to a new feature. lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Attaching seccomp profiles as OCI artifacts to container images
5 participants
@saschagrunert @kwilczynski @sohankunkerkar @sftim @haircommander