Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Custom Resource Definition (CRD) for profiles #117

Closed
saschagrunert opened this issue Aug 27, 2020 · 6 comments · Fixed by #125
Closed

Custom Resource Definition (CRD) for profiles #117

saschagrunert opened this issue Aug 27, 2020 · 6 comments · Fixed by #125
Labels
kind/feature Categorizes issue or PR as related to a new feature.
Milestone
v0.2.0

Comments

@saschagrunert
Copy link
Member

The idea is to create a CRD on top of profiles, which helps to:

  • focus on a better user experience
  • provides a useful abstraction, like the minimum amount of syscalls needed for container runtimes like runc
  • easier create profiles on a higher level
@saschagrunert saschagrunert added the kind/feature Categorizes issue or PR as related to a new feature. label Aug 27, 2020
@saschagrunert saschagrunert added this to the v0.2.0 milestone Aug 27, 2020
@saschagrunert
Copy link
Member Author

cc @cmurphy

@cmurphy
Copy link
Contributor

cmurphy commented Sep 1, 2020

I started working on a rough schema definition for this: https://gist.github.com/cmurphy/dc67e2d1214947972f41b7caa2ebf3ae

Going to look into using kubebuilder to translate the yaml into Go and build the controller.

@saschagrunert
Copy link
Member Author

saschagrunert commented Sep 1, 2020
edited

Awesome, thank you for the update @cmurphy! I’ll give it a look. (cc @pjbgf @hasheddan)

@saschagrunert
Copy link
Member Author

saschagrunert commented Sep 1, 2020
edited

I really like the proposal in the GitHub gist! One thing you've already mentioned is that some fields are not part of the runtime spec. Now it gets a bit tricky: The main reason of that is because before the runtime spec even existed, docker invented the original seccomp profile types there:

https://github.com/moby/moby/blob/master/api/types/seccomp.go
(used by docker nowadays and includes the additional fields, like comment)

But, we also have types there:

I like the idea to just rely on the runtime-spec in the first place, because that's the only one where a common standard exists. On the other hand we have to find a way to express the capability bounding (see includes, excludes in your proposal, or here in containerd.

@pjbgf
Copy link
Member

pjbgf commented Sep 2, 2020

Just added some comments directly in the gist, but in short: yes, brilliant stuff from @cmurphy! 👍

@saschagrunert I would agree with your suggestion to start with support for the runtime-spec. If we document that non-OCI fields are only supported on the ConfigMap implementation we should have no problems.

I have a feeling that most users won't be using things such as includes/excludes. But if I am wrong, we can always rely on the community to feedback and ask for it later.

@cmurphy cmurphy mentioned this issue Sep 3, 2020
Merged
@cmurphy
Copy link
Contributor

cmurphy commented Sep 3, 2020

Thanks for the comments! I started a rough implementation here: #125

I added KILL_THREAD but haven't addressed the other questions of whether to include properties from the runtime spec vs docker vs containerd etc yet.

@cmurphy cmurphy mentioned this issue Oct 30, 2020
Closed
@cmurphy cmurphy mentioned this issue Nov 23, 2020
Closed
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature Categorizes issue or PR as related to a new feature.
Projects
None yet
Milestone
v0.2.0
Development

Successfully merging a pull request may close this issue.

Implement SeccompProfile CRD and controller cmurphy/seccomp-operator
3 participants
@saschagrunert @cmurphy @pjbgf