Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Kubelet option to enable seccomp by default #2413

Closed
12 tasks done
saschagrunert opened this issue Feb 3, 2021 · 53 comments
Closed
12 tasks done

Kubelet option to enable seccomp by default #2413

saschagrunert opened this issue Feb 3, 2021 · 53 comments
Labels
kind/feature Categorizes issue or PR as related to a new feature. sig/node Categorizes an issue or PR as relevant to SIG Node. sig/security Categorizes an issue or PR as relevant to SIG Security. stage/stable Denotes an issue tracking an enhancement targeted for Stable/GA status tracked/yes Denotes an enhancement issue is actively being tracked by the Release Team
Milestone

Comments

@saschagrunert
Copy link
Member

saschagrunert commented Feb 3, 2021

Enhancement Description

/sig node
/cc @mrunalp

@k8s-ci-robot k8s-ci-robot added the sig/node Categorizes an issue or PR as relevant to SIG Node. label Feb 3, 2021
@annajung annajung added stage/alpha Denotes an issue tracking an enhancement targeted for Alpha status tracked/yes Denotes an enhancement issue is actively being tracked by the Release Team labels Feb 3, 2021
@annajung annajung added this to the v1.21 milestone Feb 3, 2021
@sftim
Copy link
Contributor

sftim commented Feb 4, 2021

Is this also relevant to SIG Security?

@saschagrunert
Copy link
Member Author

Is this also relevant to SIG Security?

Yes, I think so:
/sig security

@k8s-ci-robot k8s-ci-robot added the sig/security Categorizes an issue or PR as relevant to SIG Security. label Feb 5, 2021
@annajung
Copy link
Contributor

annajung commented Feb 7, 2021

Hi @saschagrunert

Enhancements Freeze is 2 days away, Feb 9th EOD PST

Enhancements team is aware that KEP update is currently in progress (PR #2414). Please make sure to work on missing requirements and get it merged before the freeze. For PRR related questions or to boost the PR for PRR review, please reach out in slack #prod-readiness

Any enhancements that do not complete the KEP requirements by the freeze will require an exception.

@saschagrunert
Copy link
Member Author

Hi @annajung, thank you for the reminder, I doubt that this enhancement will make it into the current cycle since we're too close to the deadlines now. This is not a big deal-we can shift the review to this cycle and target implementing it in the next one. WDYT, @mrunalp?

@annajung
Copy link
Contributor

Hi @saschagrunert,

Thank you for the update! With Enhancements Freeze now in effect, I will clear the milestone to reflect that this enhancement is not being tracked for 1.21.

If you change your mind and like to be included in the 1.21 Release, please submit an Exception Request as soon as possible.

/milestone clear

@k8s-ci-robot k8s-ci-robot removed this from the v1.21 milestone Feb 10, 2021
@annajung annajung added tracked/no Denotes an enhancement issue is NOT actively being tracked by the Release Team and removed tracked/yes Denotes an enhancement issue is actively being tracked by the Release Team labels Feb 10, 2021
@ehashman
Copy link
Member

ehashman commented May 4, 2021

/milestone v1.22

@k8s-ci-robot k8s-ci-robot added this to the v1.22 milestone May 4, 2021
@JamesLaverack JamesLaverack added tracked/yes Denotes an enhancement issue is actively being tracked by the Release Team and removed tracked/no Denotes an enhancement issue is NOT actively being tracked by the Release Team labels May 5, 2021
@jrsapi
Copy link

jrsapi commented May 11, 2021

Greetings @saschagrunert!
Enhancement shadow checking and reviewing the KEP. Just one request to complete :

  • Update this issue with the current milestone.

Friendly reminder that the Enhancement freeze is this Thursday 5/13.

@ehashman
Copy link
Member

Comment's been updated.

@jrsapi
Copy link

jrsapi commented May 13, 2021

Greetings @saschagrunert!
Following up and after reviewing the KEP and approved PRR. This enhancement is now being tracked for the 1.22 milestone.
One additional question, SIG-security is tagged on this KEP. Is there anything that SIG-security needs to deliver for this KEP?

Thanks!

@saschagrunert
Copy link
Member Author

Greetings @saschagrunert!
Following up and after reviewing the KEP and approved PRR. This enhancement is now being tracked for the 1.22 milestone.
One additional question, SIG-security is tagged on this KEP. Is there anything that SIG-security needs to deliver for this KEP?

Thanks!

Hey @jrsapi 👋, I think SIG Security only needs to be aware that this KEP exists, so it's just informal. 😊

@jrsapi
Copy link

jrsapi commented Jun 24, 2021

Greetings @saschagrunert,
Enhancement shadow checking with a reminder that we are 2 weeks away from code freeze (July 8, 2021). Can you confirm if the following k/k PR is all that is needed for the implementation of this enhancement for the 1.22 milestone?

Thanks!

@saschagrunert
Copy link
Member Author

@jrsapi thank you for the reminder, the alpha implementation is now done 😊

@dims
Copy link
Member

dims commented Jan 31, 2023

thanks @saschagrunert

@Atharva-Shinde
Copy link
Contributor

Hello @saschagrunert 👋, Enhancements team here.

Just checking in as we approach Enhancements freeze on 18:00 PDT Thursday 9th February 2023.

This enhancement is targeting for stage stable for 1.27 (correct me, if otherwise)

Here's where this enhancement currently stands:

  • KEP readme using the latest template has been merged into the k/enhancements repo.
  • KEP status is marked as implementable for latest-milestone: 1.27
  • KEP readme has a updated detailed test plan section filled out
  • KEP readme has up to date graduation criteria
  • KEP has a production readiness review that has been completed and merged into k/enhancements.

For this KEP, we would need to update the following:

  • Add response for this question in the Scalability questionnaire of the KEP readme

The status of this enhancement is marked as at risk. Please keep the issue description up-to-date with appropriate stages as well. Thank you!

@Atharva-Shinde
Copy link
Contributor

Hey again @saschagrunert
Please try to get the KEP PR #3718 (addressing the changes mentioned above), merged before tomorrow's Enhancement Freeze :)
The status of this enhancement is still marked as at risk

@mrunalp
Copy link
Contributor

mrunalp commented Feb 9, 2023

#3718 is merged. Can this be tracked?

@saschagrunert
Copy link
Member Author

Hey folks, I added a follow-up PR on top of the latest changes which add the missing question: #3864

Should be a no-op since we answer the question with "No".

@SergeyKanzhelev
Copy link
Member

@Atharva-Shinde this one should be good to go

@marosset
Copy link
Contributor

This enhancement meets all the requirements to be tracked in the v1.27 release.
Thanks @saschagrunert !

@marosset marosset moved this from At Risk to Tracked in 1.27 Enhancements Tracking Feb 10, 2023
@marosset marosset added the tracked/yes Denotes an enhancement issue is actively being tracked by the Release Team label Feb 10, 2023
@liggitt liggitt changed the title Enable seccomp by default Kubelet option to enable seccomp by default Feb 14, 2023
@liggitt
Copy link
Member

liggitt commented Feb 14, 2023

I modified the title / description to clarify that this enhancement gives the kubelet an option to enable seccomp by default, but does not change default behavior unless the node administrator opts in by setting this kubelet option (xref initial PRR discussion about requiring an opt-in flag even in GA at kubernetes/kubernetes#101943 (comment))

@katmutua
Copy link
Member

katmutua commented Mar 9, 2023

Hello @saschagrunert 👋🏾 !

@katmutua 1.27 Release Docs shadow here. This enhancement is marked as ‘Needs Docs’ for 1.27 release.

Please follow the steps detailed in the documentation to open a PR against dev-1.27 branch in the k/website repo. This PR can be just a placeholder at this time, and must be created by March 16. For more information, please take a look at Documenting for a release to familiarize yourself with the documentation requirements for the release.

If you already have existing open PRs please link them to the description so we can easily track them. Thanks!

@saschagrunert
Copy link
Member Author

Thank you @katmutua, the placeholder PR is now available in kubernetes/website#39906

@Atharva-Shinde
Copy link
Contributor

Hey again @saschagrunert 👋 Enhancements team here,
Just checking in as we approach 1.27 code freeze at 17:00 PDT on Tuesday 14th March 2023.

Here's where this enhancement currently stands:

Also please let me know if there are other PRs in k/k we should be tracking for this KEP.
As always, we are here to help if any questions come up. Thanks!

@marosset
Copy link
Contributor

/stage stable

@k8s-ci-robot k8s-ci-robot added stage/stable Denotes an issue tracking an enhancement targeted for Stable/GA status and removed stage/beta Denotes an issue tracking an enhancement targeted for Beta status labels Mar 20, 2023
@saschagrunert
Copy link
Member Author

This is done

@AkihiroSuda
Copy link
Member

Is there any discussion about making it "literally" default?
i.e., Defaulting seccompDefault to true in KubeletConfiguration.

@saschagrunert
Copy link
Member Author

@AkihiroSuda unfortunately not, because it could implicitly break existing workloads on upgrades.

@salehsedghpour
Copy link
Contributor

/remove-label lead-opted-in

@k8s-ci-robot k8s-ci-robot removed the lead-opted-in Denotes that an issue has been opted in to a release label Jan 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/feature Categorizes issue or PR as related to a new feature. sig/node Categorizes an issue or PR as relevant to SIG Node. sig/security Categorizes an issue or PR as relevant to SIG Security. stage/stable Denotes an issue tracking an enhancement targeted for Stable/GA status tracked/yes Denotes an enhancement issue is actively being tracked by the Release Team
Projects
Status: Tracked
Development

No branches or pull requests