-
Notifications
You must be signed in to change notification settings - Fork 100
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WIP: PoC for Recording seccomp profiles #140
Conversation
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: rhafer The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@rhafer really good job so far! Here's my 2 pence on the open questions:
Very good question. Maybe it would be worth keeping it simple for now and just create the CRD profile, which will lead to sync/saving into all nodes. At this point, the user would always need to actively map a profile to a workload, which they should be allowed to. We can refine this further once we have the auto apply in place. On that point, it would be nice to auto populate the new field that defines what image is this profile for. This is still WIP, just linking here for future reference: #138 (comment)
My understanding is that now that we are deprecating the |
👍
Hm, not sure I completely understand that. But I think the recorded profile should endup in the same namespace as the pod that it was recorded from. Otherwise it would just be too easy to have two pods from different namespaces overwrite each other's recorded profiles. |
I didn't fully understand this before, but I guess the "cluster level profiles" are, e.g. the
I agree with @rhafer that the profile should go in the namespace it was recorded from, and as such I'm not sure how the operator could be further restricted: it needs broad permissions to write SeccompProfiles to any namespace. |
// traceAnnotation is the annotation on a Pod that triggers the | ||
// oci-seccomp-bpf-hook to trace the syscalls of a Pod and created a | ||
// seccomp profile. | ||
traceAnnotation = "io.containers.trace-syscall" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Did you use the CRI-O annotation patch to make this work? I'm thinking if we can choose another way to pass the data than the annotation…
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah. For now this depends on the annotation patch. (For reference cri-o/cri-o#4138)
@rhafer I am not opposed to get the recorded profile into the namespace the recorded pod was running from, I just thought this probably would happen as two separate steps to start with:
Given how difficult it is to get a complete profile, I was thinking on restricting the first part to a given namespace, which we could then enforce simply by RBAC. Then second step would be the user's responsibility until this feature matured. However, I think it is more important to have an end-to-end process we can play around with then get bog down on this details, so feel free to go ahead and we will then tackle such concerns as they appear. |
This controller is watching pods carrying the "io.containers.trace-syscall" annotation which is used by the oci-seccomp-bpf hook to trigger the tracing of syscalls issued by a pod to generate a seccomp profile. After pod completion the controller will collect the generated profile and create a "SeccompProfile" resource in the namespace that the traced pod was running in. Signed-off-by: Ralf Haferkamp <rhafer@suse.com>
The profile recorder controller needs some adjustments in the deployment of the operator: - New volume "host-seccomp-host-output-volume" this the location that the controller is trying to collect seccomp profiles from. - New RBAC requirements: - read access in "node" resources are required in order to figure out the nodes' internal IP addresses - read access on "pod" resources is required as the controller needs access to the "annoation" of the pods in order to scan for the trace annotation - As the controller is created SeccompProfile resources now it needs to have elevated access on the SeccompProfiles resources. Signed-off-by: Ralf Haferkamp <rhafer@suse.com>
bd852b6
to
308ffdc
Compare
rebased |
/ok-to-test |
@rhafer: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Do you think that we can demo this at the community meeting this Thursday? |
Yeah, that should work. Even if just for discussing some of the road blocks I've hit recently with the current approach :-) |
Signed-off-by: Ralf Haferkamp <rhafer@suse.com>
e189df6
to
f14166b
Compare
@saschagrunert: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@rhafer: PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
What type of PR is this?
/kind feature
What this PR does / why we need it:
This PoC adds a controller to the controller that will collect seccomp profiles generated by the
seccomp-bpf
oci-hook. It works by watching for pods carrying the "io.containers.trace-syscall" annotation which is used by the above oci hook to enable tracing of syscalls issued by a pod and generating a seccomp profiles from that.After pod completion the controller will collect the generated profile and create a "SeccompProfile" resource in the namespace that the traced pod was running in.
This is still in it's early stages and there are still quite a few things to work on:
And a ton of open questions to be detailed out:
.trace-syscall
annotation. This is not only a bad UX but also raises question about how to cleanup the directory and what to when e.g. to pods specify the same output file.Which issue(s) this PR fixes:
Fixes #46