Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Seccomp #135

Open
pweil- opened this issue Oct 25, 2016 · 70 comments
Open

Seccomp #135

pweil- opened this issue Oct 25, 2016 · 70 comments

Comments

@pweil-
Copy link
Member

@pweil- pweil- commented Oct 25, 2016

Description

Seccomp support is providing the ability to define seccomp profiles and configure pods to run with those profiles. This includes the ability control usage of the profiles via PSP as well as maintaining the ability to run as unconfined or with the default container runtime profile.

Progress Tracker

  • Alpha
  • Beta
    • Testing is sufficient for beta
    • User docs with tutorials
      • Updated walkthrough / tutorial in the docs repo: kubernetes/kubernetes.github.io
      • cc @kubernetes/docs on docs PR
      • cc @kubernetes/feature-reviewers on this issue to get approval before checking this off
    • Thorough API review
      • cc @kubernetes/api
  • Stable
    • docs/proposals/foo.md moved to docs/design/foo.md
      • cc @kubernetes/feature-reviewers on this issue to get approval before checking this off
    • Soak, load testing
    • detailed user docs and examples
      • cc @kubernetes/docs
      • cc @kubernetes/feature-reviewers on this issue to get approval before checking this off

FEATURE_STATUS is used for feature tracking and to be updated by @kubernetes/feature-reviewers.
FEATURE_STATUS: IN_DEVELOPMENT

More advice:

Design

  • Once you get LGTM from a @kubernetes/feature-reviewers member, you can check this checkbox, and the reviewer will apply the "design-complete" label.

Coding

  • Use as many PRs as you need. Write tests in the same or different PRs, as is convenient for you.
  • As each PR is merged, add a comment to this issue referencing the PRs. Code goes in the http://github.com/kubernetes/kubernetes repository,
    and sometimes http://github.com/kubernetes/contrib, or other repos.
  • When you are done with the code, apply the "code-complete" label.
  • When the feature has user docs, please add a comment mentioning @kubernetes/feature-reviewers and they will
    check that the code matches the proposed feature and design, and that everything is done, and that there is adequate
    testing. They won't do detailed code review: that already happened when your PRs were reviewed.
    When that is done, you can check this box and the reviewer will apply the "code-complete" label.

Docs

  • Write user docs and get them merged in.
  • User docs go into http://github.com/kubernetes/kubernetes.github.io.
  • When the feature has user docs, please add a comment mentioning @kubernetes/docs.
  • When you get LGTM, you can check this checkbox, and the reviewer will apply the "docs-complete" label.
@pweil-

This comment has been minimized.

Copy link
Member Author

@pweil- pweil- commented Oct 25, 2016

@derekwaynecarr @sttts @erictune didn't see an issue for this but it is already in alpha. Creating this as the reminder to push it through to beta and stable.

@sttts could you provide the appropriate links to docs and PRs? I think you are closest to this code.

@derekwaynecarr

This comment has been minimized.

Copy link
Member

@derekwaynecarr derekwaynecarr commented Oct 25, 2016

@pweil- @sttts - per our discussion, this is a feature we would like to sponsor in Kubernetes 1.6 under @kubernetes/sig-node

@idvoretskyi

This comment has been minimized.

Copy link
Member

@idvoretskyi idvoretskyi commented Oct 26, 2016

@pweil- @derekwaynecarr please, confirm that this feature has to be set with 1.6 milestone.

@sttts

This comment has been minimized.

Copy link
Contributor

@sttts sttts commented Oct 26, 2016

@idvoretskyi we target to move it to beta for 1.6.

@idvoretskyi idvoretskyi added this to the next-milestone milestone Oct 26, 2016
@idvoretskyi

This comment has been minimized.

Copy link
Member

@idvoretskyi idvoretskyi commented Oct 26, 2016

@sttts thanks.

@bgrant0607

This comment has been minimized.

@idvoretskyi

This comment has been minimized.

Copy link
Member

@idvoretskyi idvoretskyi commented Sep 5, 2017

@pweil- any updates for 1.8? Is this feature still on track for the release?

@pweil-

This comment has been minimized.

Copy link
Member Author

@pweil- pweil- commented Sep 11, 2017

@idvoretskyi this was not a priority for 1.8. @php-coder can you add a card to this for our PM planning? We need to stop letting this fall through the cracks and get it moved to beta and GA.

@idvoretskyi

This comment has been minimized.

Copy link
Member

@idvoretskyi idvoretskyi commented Sep 12, 2017

@pweil- if this feature is not planned for 1.8 - please, update the milestone with the "next-milestone" or "1.9"

@tallclair

This comment has been minimized.

Copy link
Member

@tallclair tallclair commented Sep 23, 2017

I'd like to see this get to beta. Priorities (or requirements) for that include:

  1. Annotations (Pod & PodSecurityPolicy) must be moved to fields on the container SecurityContext (see https://github.com/kubernetes/community/blob/master/contributors/devel/api_changes.md#alpha-field-in-existing-api-version)
  2. Settle on the OCI spec seccomp format, and define a Kubernetes default profile (can we reuse Docker's?) kubernetes/kubernetes#39128
    a. Figure out how the Kubernetes profile is delivered to the container runtime via CRI (/cc @yujuhong @Random-Liu )
    b. docker/default should still be allowed if the runtime is docker (for backwards compatibility)
  3. The Kubernetes default profile should be the new default. For backwards compatibility, this MUST be optional behavior (i.e. flag controlled). kubernetes/kubernetes#39845

Is anyone interested in driving this work for the 1.9 (or 1.10) milestone? @jessfraz @kubernetes/sig-auth-feature-requests and @kubernetes/sig-node-feature-requests I'm looking at you 😉

Also relevant: kubernetes/community#660 (do we need to settle the decisions in that PR before proceeding?)

@tallclair

This comment has been minimized.

Copy link
Member

@tallclair tallclair commented Sep 23, 2017

/cc @destijl

@jessfraz

This comment has been minimized.

Copy link

@jessfraz jessfraz commented Sep 24, 2017

@jessfraz

This comment has been minimized.

Copy link

@jessfraz jessfraz commented Oct 18, 2017

ok I will update the proposal and start on this tomorrow if no one else will ;)

@tallclair

This comment has been minimized.

Copy link
Member

@tallclair tallclair commented Oct 3, 2019

Yes, I plan to graduate this to stable in v1.17 - KEP here: #1148

@annajung

This comment has been minimized.

Copy link
Member

@annajung annajung commented Oct 3, 2019

Hey @tallclair , I will add this enhancement to the tracking sheet to be tracked 👍

Please see the message above for friendly reminders and note that KEP is in a provisional state. KEP must be in an implementable state to be added to 1.17 release.

/milestone v1.17
/stage stable

@k8s-ci-robot k8s-ci-robot added this to the v1.17 milestone Oct 3, 2019
@annajung annajung added tracked/yes and removed tracked/no labels Oct 3, 2019
@annajung

This comment has been minimized.

Copy link
Member

@annajung annajung commented Oct 7, 2019

Hey @tallclair Could you please post links to the tests in testgrid and keep track of any tests added for this enhancement?

Thank you!

@tallclair

This comment has been minimized.

Copy link
Member

@tallclair tallclair commented Oct 8, 2019

Will do. There are a bunch of seccomp tests already, but I can't find it on any dashboard tabs (is there anyway to search across all testgrids for a specific test?)
https://github.com/kubernetes/kubernetes/blob/0956acbed17fb71e76e3fbde89f2da9f8ec8b603/test/e2e/node/security_context.go#L147-L177

@mrbobbytables

This comment has been minimized.

Copy link
Member

@mrbobbytables mrbobbytables commented Oct 8, 2019

@tallclair there isn't a good way to search across all of testgrid =/

My best guess (at least for the 4 you referenced) is that they aren't actually being included. 😬

They look like they should be a part of the node-kubelet-features dashboard, but the job config for ci-kubernetes-node-kubelet-features has this for it's test_args:

--test_args=--nodes=8 --focus="\[NodeFeature:.+\]" --skip="\[Flaky\]|\[Serial\]"

The ginkgo tests themselves are tagged with [Feature:Seccomp] and the focus flag wouldn't match.

@tallclair

This comment has been minimized.

Copy link
Member

@tallclair tallclair commented Oct 8, 2019

I think we should just remove the feature tag once this moves to GA. I think seccomp is standard on linux, so the [LinuxOnly] tag should be sufficient.

For the general problem of tests not being run, I filed kubernetes/test-infra#14647

@annajung

This comment has been minimized.

Copy link
Member

@annajung annajung commented Oct 9, 2019

Hey @tallclair , We're only 5 days away from the Enhancements Freeze (Tuesday, October 15, EOD PST). Another friendly reminder that to be able to graduate this in the 1.17 release, KEP must be merged in and must be in implementable state. Looks like the KEP is still open and is in a provisional state.

@annajung

This comment has been minimized.

Copy link
Member

@annajung annajung commented Oct 16, 2019

Hey @tallclair, unfortunately deadline for 1.17 enhancement freeze has passed and looks like the KEP is still open. I will be removing this enhancement from the 1.17 milestone.

Please note that you can file an enhancement exception if you need to get this in for 1.17

/milestone clear

@k8s-ci-robot k8s-ci-robot removed this from the v1.17 milestone Oct 16, 2019
@annajung annajung added tracked/no and removed tracked/yes labels Oct 16, 2019
@tallclair

This comment has been minimized.

Copy link
Member

@tallclair tallclair commented Oct 16, 2019

Yeah, didn't make the cut. Hoping to get it into
/milestone v1.18

@k8s-ci-robot k8s-ci-robot added this to the v1.18 milestone Oct 16, 2019
@annajung

This comment has been minimized.

Copy link
Member

@annajung annajung commented Oct 16, 2019

That sounds good! I'll mark this as deferred to v1.18 in the enhancement tracking sheet.

@saschagrunert

This comment has been minimized.

Copy link
Member

@saschagrunert saschagrunert commented Jan 7, 2020

Hey 👋, is there anything we can do to move this one forward. I’d be happy to contribute here as well as for the AppArmor issue.

@jeremyrickard

This comment has been minimized.

Copy link

@jeremyrickard jeremyrickard commented Jan 7, 2020

Hey @tallclair

1.18 Enhancements team checking in! Are you planning on graduating to stable in 1.18? It looks like the KEP is still open.

The release schedule is as follows:

Enhance Freeze: January 28
Code Freeze: March 5
Docs Ready: March 16
v1.18 Release: March 24

As a reminder, the KEP needs to be merged, with the status set to implementable.

Thanks!

@jeremyrickard jeremyrickard mentioned this issue Jan 7, 2020
12 of 18 tasks complete
@tallclair

This comment has been minimized.

Copy link
Member

@tallclair tallclair commented Jan 9, 2020

@saschagrunert thanks for the offer! I need to take another pass at the KEP to follow up from the API review I had with @liggitt. Once the KEP is approved, I'd welcome your help with the implementation.

I think the biggest open question on the KEP right now is how to handle the localhost profile type. Since we want to deprecate the feature (ideally in favor of something like #1269, /cc @pjbgf ), I'd like to avoid putting a field for it in the API.

@jeremyrickard

This comment has been minimized.

Copy link

@jeremyrickard jeremyrickard commented Jan 22, 2020

Hey @tallclair, any update on if this will make it into 1.18 or not? It's currently marked in the milestone but you haven't confirmed if we should track this or not.

Thanks!

@tallclair

This comment has been minimized.

Copy link
Member

@tallclair tallclair commented Jan 22, 2020

v1.18 is seeming unlikely for this. I think we can bump to
/milestone v1.19

@k8s-ci-robot k8s-ci-robot modified the milestones: v1.18, v1.19 Jan 22, 2020
@jeremyrickard

This comment has been minimized.

Copy link

@jeremyrickard jeremyrickard commented Jan 22, 2020

Great, thanks for the update @tallclair :)

ingvagabund pushed a commit to ingvagabund/enhancements that referenced this issue Apr 2, 2020
Add fall-back to must-gather.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
You can’t perform that action at this time.