Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable seccomp by default #2413

Open
8 of 12 tasks
saschagrunert opened this issue Feb 3, 2021 · 32 comments
Open
8 of 12 tasks

Enable seccomp by default #2413

saschagrunert opened this issue Feb 3, 2021 · 32 comments
Labels
kind/feature Categorizes issue or PR as related to a new feature. sig/node Categorizes an issue or PR as relevant to SIG Node. sig/security Categorizes an issue or PR as relevant to SIG Security. stage/beta Denotes an issue tracking an enhancement targeted for Beta status tracked/no Denotes an enhancement issue is NOT actively being tracked by the Release Team
Milestone

Comments

@saschagrunert
Copy link
Member

saschagrunert commented Feb 3, 2021

Enhancement Description

/sig node
/cc @mrunalp

@k8s-ci-robot k8s-ci-robot added the sig/node Categorizes an issue or PR as relevant to SIG Node. label Feb 3, 2021
@annajung annajung added stage/alpha Denotes an issue tracking an enhancement targeted for Alpha status tracked/yes Denotes an enhancement issue is actively being tracked by the Release Team labels Feb 3, 2021
@annajung annajung added this to the v1.21 milestone Feb 3, 2021
@sftim
Copy link
Contributor

sftim commented Feb 4, 2021

Is this also relevant to SIG Security?

@saschagrunert
Copy link
Member Author

saschagrunert commented Feb 5, 2021

Is this also relevant to SIG Security?

Yes, I think so:
/sig security

@k8s-ci-robot k8s-ci-robot added the sig/security Categorizes an issue or PR as relevant to SIG Security. label Feb 5, 2021
@annajung
Copy link
Member

annajung commented Feb 7, 2021

Hi @saschagrunert

Enhancements Freeze is 2 days away, Feb 9th EOD PST

Enhancements team is aware that KEP update is currently in progress (PR #2414). Please make sure to work on missing requirements and get it merged before the freeze. For PRR related questions or to boost the PR for PRR review, please reach out in slack #prod-readiness

Any enhancements that do not complete the KEP requirements by the freeze will require an exception.

@saschagrunert
Copy link
Member Author

saschagrunert commented Feb 8, 2021

Hi @annajung, thank you for the reminder, I doubt that this enhancement will make it into the current cycle since we're too close to the deadlines now. This is not a big deal-we can shift the review to this cycle and target implementing it in the next one. WDYT, @mrunalp?

@annajung
Copy link
Member

annajung commented Feb 10, 2021

Hi @saschagrunert,

Thank you for the update! With Enhancements Freeze now in effect, I will clear the milestone to reflect that this enhancement is not being tracked for 1.21.

If you change your mind and like to be included in the 1.21 Release, please submit an Exception Request as soon as possible.

/milestone clear

@k8s-ci-robot k8s-ci-robot removed this from the v1.21 milestone Feb 10, 2021
@annajung annajung added tracked/no Denotes an enhancement issue is NOT actively being tracked by the Release Team and removed tracked/yes Denotes an enhancement issue is actively being tracked by the Release Team labels Feb 10, 2021
@ehashman
Copy link
Member

ehashman commented May 4, 2021

/milestone v1.22

@k8s-ci-robot k8s-ci-robot added this to the v1.22 milestone May 4, 2021
@JamesLaverack JamesLaverack added tracked/yes Denotes an enhancement issue is actively being tracked by the Release Team and removed tracked/no Denotes an enhancement issue is NOT actively being tracked by the Release Team labels May 5, 2021
@jrsapi
Copy link

jrsapi commented May 11, 2021

Greetings @saschagrunert!
Enhancement shadow checking and reviewing the KEP. Just one request to complete :

  • Update this issue with the current milestone.

Friendly reminder that the Enhancement freeze is this Thursday 5/13.

@ehashman
Copy link
Member

ehashman commented May 11, 2021

Comment's been updated.

@jrsapi
Copy link

jrsapi commented May 13, 2021

Greetings @saschagrunert!
Following up and after reviewing the KEP and approved PRR. This enhancement is now being tracked for the 1.22 milestone.
One additional question, SIG-security is tagged on this KEP. Is there anything that SIG-security needs to deliver for this KEP?

Thanks!

@saschagrunert
Copy link
Member Author

saschagrunert commented May 14, 2021

Greetings @saschagrunert!
Following up and after reviewing the KEP and approved PRR. This enhancement is now being tracked for the 1.22 milestone.
One additional question, SIG-security is tagged on this KEP. Is there anything that SIG-security needs to deliver for this KEP?

Thanks!

Hey @jrsapi 👋, I think SIG Security only needs to be aware that this KEP exists, so it's just informal. 😊

@jrsapi
Copy link

jrsapi commented Jun 24, 2021

Greetings @saschagrunert,
Enhancement shadow checking with a reminder that we are 2 weeks away from code freeze (July 8, 2021). Can you confirm if the following k/k PR is all that is needed for the implementation of this enhancement for the 1.22 milestone?

Thanks!

@saschagrunert
Copy link
Member Author

saschagrunert commented Jun 28, 2021

@jrsapi thank you for the reminder, the alpha implementation is now done 😊

@fvoznika
Copy link

fvoznika commented Feb 10, 2022

@saschagrunert,
In terms of configuration, I think it can be specified like other fields in the RuntimeClass definition, e.g. scheduling:

apiVersion: node.k8s.io/v1
kind: RuntimeClass
metadata:
  name: example
handler: my-runtime
seccompProfile:
  type: Localhost
  localhostProfile: profiles/audit.json

In the case of gVisor, seccompProfile.type would be set to Unconfined.

The benefit to add this to Kubernetes is to make the integration between RuntimeClass and Seccomp (both K8s concepts) first class. By delegating this to the container runtime, the rules that are applied to the runtime are opaque and not configurable by the user.

@tallclair
Copy link
Member

tallclair commented Mar 9, 2022

(I think I left a similar comment somewhere else, but I'm not sure where)

As an alternative to specifying the profile in the RuntimeClass definition, containerd & cri-o could make the "runtime/default" profile configurable per runtime-handler.

@tallclair tallclair added this to the v1.25 milestone Jun 10, 2022
@Priyankasaggu11929 Priyankasaggu11929 added tracked/yes Denotes an enhancement issue is actively being tracked by the Release Team and removed tracked/no Denotes an enhancement issue is NOT actively being tracked by the Release Team labels Jun 10, 2022
@rhockenbury
Copy link

rhockenbury commented Jun 15, 2022

👋 Hello @saschagrunert and @mrunalp,

1.25 Enhancements team here. Just checking in as we approach enhancements freeze on 18:00 PST on Thursday June 23, 2022.

This enhancement is targeting for stage beta for 1.25, correct?

Here's where this enhancement currently stands:

  • KEP file using the latest template has been merged into the k/enhancements repo.
  • KEP status is marked as implementable
  • KEP has a updated detailed test plan section filled out
  • KEP has up to date graduation criteria
  • KEP has a production readiness review that has been completed and merged into k/enhancements.

Looks like for this one, we would just need to update the following:

The status of this enhancement is marked as at risk. Please keep the issue description up-to-date with appropriate stages as well. Thank you!

@saschagrunert
Copy link
Member Author

saschagrunert commented Jun 15, 2022

@rhockenbury thank you for the notics, I'm incorporating all changes into the existing PR #3240.

Yep, this feature is aiming for graduation in v1.25. 👍

@rhockenbury
Copy link

rhockenbury commented Jun 20, 2022

Thanks! Marking as tracked for the v1.25 cycle.

@saschagrunert
Copy link
Member Author

saschagrunert commented Jun 27, 2022

k/k code changes incoming in kubernetes/kubernetes#110805
docs will be done in kubernetes/website#34640

saschagrunert added a commit to saschagrunert/website that referenced this issue Jun 27, 2022
We now update the documentation to reflect the current state of the
feature.

Refers to: kubernetes/enhancements#2413

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
saschagrunert added a commit to saschagrunert/website that referenced this issue Jun 27, 2022
We now update the documentation to reflect the current state of the
feature.

Refers to: kubernetes/enhancements#2413

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
saschagrunert added a commit to saschagrunert/website that referenced this issue Jun 27, 2022
We now update the documentation to reflect the current state of the
feature.

Refers to: kubernetes/enhancements#2413

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
saschagrunert added a commit to saschagrunert/website that referenced this issue Jun 27, 2022
We now update the documentation to reflect the current state of the
feature.

Refers to: kubernetes/enhancements#2413

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
saschagrunert added a commit to saschagrunert/website that referenced this issue Jun 27, 2022
We now update the documentation to reflect the current state of the
feature.

Refers to: kubernetes/enhancements#2413

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
Co-authored-by: Tim Bannister <tim@scalefactory.com>
saschagrunert added a commit to saschagrunert/website that referenced this issue Jun 27, 2022
We now update the documentation to reflect the current state of the
feature.

Refers to: kubernetes/enhancements#2413

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
Co-authored-by: Tim Bannister <tim@scalefactory.com>
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
saschagrunert added a commit to saschagrunert/kubernetes that referenced this issue Jun 27, 2022
As outlined in the KEP, we now graduate the Kubelet feature to beta
which means that it is enabled by default. The corresponding Kubelet
flag still defaults to `false`, but we now have the chance to e2e test
the feature by using a new serial test case.

KEP: kubernetes/enhancements#2413

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
saschagrunert added a commit to saschagrunert/website that referenced this issue Jun 28, 2022
We now update the documentation to reflect the current state of the
feature.

Refers to: kubernetes/enhancements#2413

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
Co-authored-by: Tim Bannister <tim@scalefactory.com>
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
saschagrunert added a commit to saschagrunert/website that referenced this issue Jun 29, 2022
We now update the documentation to reflect the current state of the
feature.

Refers to: kubernetes/enhancements#2413

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
Co-authored-by: Tim Bannister <tim@scalefactory.com>
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
@saschagrunert
Copy link
Member Author

saschagrunert commented Jul 18, 2022

Most of the PRs have been merged, we're good to go for 1.25 and the graduation. :)

@marosset
Copy link
Contributor

marosset commented Jul 25, 2022

Hi @saschagrunert / @mrunalp 👋

1.25 enhancements team here. Checking in once more as we approach 1.25 code freeze at 01:00 UTC on Wednesday, 3rd August 2022.

Thank you for linking PRs in the issue description!
This enhancement is currently tracked for the v1.25 release.

As always, we are here to help should questions come up.

Thanks!!

PushkarJ pushed a commit to PushkarJ/website that referenced this issue Aug 9, 2022
We now update the documentation to reflect the current state of the
feature.

Refers to: kubernetes/enhancements#2413

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
Co-authored-by: Tim Bannister <tim@scalefactory.com>
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
@rhockenbury rhockenbury added tracked/no Denotes an enhancement issue is NOT actively being tracked by the Release Team and removed tracked/yes Denotes an enhancement issue is actively being tracked by the Release Team labels Sep 11, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/feature Categorizes issue or PR as related to a new feature. sig/node Categorizes an issue or PR as relevant to SIG Node. sig/security Categorizes an issue or PR as relevant to SIG Security. stage/beta Denotes an issue tracking an enhancement targeted for Beta status tracked/no Denotes an enhancement issue is NOT actively being tracked by the Release Team
Projects
No open projects
Development

No branches or pull requests