-
Notifications
You must be signed in to change notification settings - Fork 100
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Record seccomp profiles #46
Comments
/priority important-longterm |
This method is ideal for long running containers which would be "monitored" as its functionality is being used, as it only captures the syscalls made during the execution of the container being observed. The more permutations of execution paths ran, the more accurate will be the resulting profile. A challenge on using seccomp-bpf-hook on a cluster is that it will need to run as root and with Ideally such approach would be used on ephemeral non-production clusters with the assistance of E2E tests which would be executed against the container being observed. |
Moving to v2. |
cc @rhafer @ereslibre @mrostecki |
I did a bit of reasearch, i just want to cross-reference them:
|
Interesting approaches @moolen and thank you for the insights. 🙏 From my perspective the most clean way would be to let containerd suppport OCI hooks, where I see no major blockers for it. 🤷 |
@pjbgf Isn't it only the hook itself that needs |
Yeah, that might be worth a look. Another option would be to utilize the seccomp notifcation mechanism (as already mentioned in initial post), but that does require some changes on lower level runtimes (
Hm, I guess at that point it might already have missed a couple of syscalls? So result would be imcomplete. I agree with @saschagrunert here, it would be cool if containerd would finally get support for oci-hooks. |
Very fair observation. Overall my concern is that requiring users to have something running with Once we get to a working prototype we can brainstorm around it. |
/assign |
Let's close this for now, more enhancements to the feature to come. |
@saschagrunert: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
The idea is to allow the recording of seccomp profiles directly inside the Kubernetes cluster. To achieve that we could utilize the oci-seccomp-bpf-hook, which has the following requirements:
We could think about annotating a node, then install the kernel headers (may be a prerequisite) and the hook. After that, the operator would have to annotate the target workload correctly (that's the way how the hook knows what to do). The recorded profile would have to be written into a configmap afterwards, which would cause that all nodes sync the profile to disk.
WDYT? It's overall a bit complicated but seems like a valuable feature after the initial release.
Edit: We could also use the seccomp notifier feature to think about a more elegant way to record profiles. This needs more evaluation but might be achievable by creating a PID namespace-shared sidecar.
The text was updated successfully, but these errors were encountered: