-
Notifications
You must be signed in to change notification settings - Fork 453
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added kubelet config parameter 'seccompDefault' #6741
Added kubelet config parameter 'seccompDefault' #6741
Conversation
...on/botanist/component/extensions/operatingsystemconfig/original/components/kubelet/config.go
Show resolved
Hide resolved
...tanist/component/extensions/operatingsystemconfig/original/components/kubelet/config_test.go
Outdated
Show resolved
Hide resolved
There is a problem with inheritance of kubelet config for workers, meaning that the seccomp configuration is not validated correctly. |
The ValidateWorker function did not validate worker's kubelet config when it was missing. When it is missing the worker would inherit the shoot's kubelet config. Added validation for the shoot's kubelet config when the worker's config is missing. Removed the default value for seccompDefault config since it does not change the functionality and it would have been inherited by the worker node even when the worker node's k8s version is <= 1.24. In such a case there would have been a validation error which would have been hard to understand since the user has not set seccompDefault. |
/unhold |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
/lgtm
/assign |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice PR.
Are you addressing https://github.com/gardener/gardener/blob/2c5074415de457e9609f51850e62991c3cdb4f0d/docs/usage/default_seccomp_profile.md#future-steps here?
Independent of this, does it make sense to adapt the documentation/this file with information about this new feature?
Thank you for pointing this out. I have now updated this file with new information about the feature. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
/approve
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dimityrmirchev, rfranzke The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
779e103
to
2d9fe99
Compare
Looks like #6766 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
@AleksandarSavchev: The following test failed, say
Full PR test history. Your PR dashboard. Command help for this repository. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
How to categorize this PR?
/area security
/kind enhancement
What this PR does / why we need it:
This PR adds a new config parameter
seccompDefault
to kubelet which enhances thesecurityContext
of shoot pods by setting their seccomp profiles to "RuntimeDefault". This new parameter is available for k8s versions >= 1.25 and can be enabled only when kubelet's 'SeccompDefault' feature gate is enabled (it is enabled by default). Added tests for new parameter.Which issue(s) this PR fixes:
Fixes #6501
Special notes for your reviewer:
Please see the comment below.
Release note: