Change seccomp default to 'docker/default'

[timstclair]

Seccomp is currently defaulted to unconfined on docker:

kubernetes/pkg/kubelet/dockertools/docker_manager.go

Line 120 in 9a88687

defaultSeccompOpt = []dockerOpt{{"seccomp", "unconfined", ""}}

I believe this is for historical reasons, from #21790. However, we now have the ability (albeit alpha) to control seccomp profiles, so we should change the default to the more secure docker/default option. This profile is carefully curated, and should provide enhanced security without breaking the majority of users. Unfortunately "the majority" is not "everybody", so changing this default would be a breaking change, and care needs to be taken when rolling it out.

This may also need to wait for seccomp to be promoted to beta.

@vishh @pmorie @kubernetes/sig-node-misc

[jessfraz]

fwiw when we launched it with docker i tested all the publically available dockerfiles on github and docker hub with it...

so it was not done without much testing, we also only had one issue iirc after the release which was a lot better than i expected.

[vishh]

+1 for attempting to roll out the default docker configuration. Ideally, we want users to use seccomp profiles that is fined tuned for each container. We might have to develop some tooling to make it easy to consume this feature in k8s. The current approach of storing profiles on node's root partition is complicated.

…

On Tue, Feb 14, 2017 at 2:34 PM, Jess Frazelle ***@***.***> wrote: fwiw when we launched it with docker i tested all the publically available dockerfiles on github and docker hub with it... so it was not done without much testing, we also only had one issue iirc after the release which was a lot better than i expected. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#39845 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AGvIKHFfYlPID8Ijgj0aF5KaJAp4fi-9ks5rcivzgaJpZM4LifTL> .

[jessfs]

Just want to add my +1 for making this the default.

[timstclair]

We might have to develop some tooling to make it easy to consume this
feature in k8s. The current approach of storing profiles on node's root
partition is complicated.

Agreed, I consider this alpha-behavior. For both seccomp & apparmor I'd like to add the ability to consume a ConfigMap (or maybe a new resource) as a profile. However, I consider this tangential to the issue discussed here.

Adjusting the default is already supported through the PodSecurityPolicy, but we still need to put some thought into how we'd go about rolling this out.

[jessfraz]

So there are a few ways I can imagine going about this, happy to open a proposal if you if agree with any:

1. defaulting to docker/default
2. forking the docker/default and maintaining our own default so we can edit easily in the future (i'm happy to do this since I wrote a lot of the docker default)
3. (2) might require making our own "seccomp profile spec" and adding as an api somewhere (idk which group) if we don't want to rely on another runtime's.
4. an option to set a different default maybe as a kubelet config option (also might require 3 unless we just default to another runtimes)

I am kinda in favor of 2, 3, and 4 so we have the most control.

[timstclair]

2,3 sound good to me. I think we can do (2) before fully implementing (3), since it's technically still an "alpha" feature. I think we should use the OCI spec, but I don't know the details on it. (4) is essentially already implemented on the PodSecurityPolicy, via an annotation (should graduate to a field before seccomp support goes to beta): "seccomp.security.alpha.kubernetes.io/defaultProfileName" (see https://github.com/kubernetes/kubernetes/blob/master/pkg/security/podsecuritypolicy/seccomp/strategy.go)

[jessfraz]

(4) is essentially already implemented on the PodSecurityPolicy, via an annotation

makes sense

I think we should use the OCI spec, but I don't know the details on it

Should we use theirs as a base and make our own or vendor theirs (ie what happens if they change theirs)

[timstclair]

Should we use theirs as a base and make our own or vendor theirs (ie what happens if they change theirs)

That's a question for @kubernetes/sig-api-machinery-misc, but my hunch is that we create our own copy (rather than vendoring), since I don't think we have any other examples of embedding a third party API in ours (unless it's opaque)

[jessfraz]

cool thats what i was leaning towards :)

…

On Mon, May 22, 2017 at 11:57 PM, Tim St. Clair ***@***.***> wrote: Should we use theirs as a base and make our own or vendor theirs (ie what happens if they change theirs) That's a question for @kubernetes/sig-api-machinery-misc <https://github.com/orgs/kubernetes/teams/sig-api-machinery-misc>, but my hunch is that we create our own copy (rather than vendoring), since I don't think we have any other examples of embedding a third party API in ours (unless it's opaque) — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#39845 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABYNbFj4EA4CEFFzUjn6YDpSLmqmJi5vks5r8hLmgaJpZM4LifTL> .

-- Jessie Frazelle 4096R / D4C4 DD60 0D66 F65A 8EFC 511E 18F3 685C 0022 BFF3 pgp.mit.edu <http://pgp.mit.edu/pks/lookup?op=get&search=0x18F3685C0022BFF3>

[jessfraz]

I'll open a proposal this afternoon :)

…

On May 22, 2017 7:01 PM, "Jess Frazelle" ***@***.***> wrote: cool thats what i was leaning towards :) On Mon, May 22, 2017 at 11:57 PM, Tim St. Clair ***@***.***> wrote: > Should we use theirs as a base and make our own or vendor theirs (ie what > happens if they change theirs) > > That's a question for @kubernetes/sig-api-machinery-misc > <https://github.com/orgs/kubernetes/teams/sig-api-machinery-misc>, but my > hunch is that we create our own copy (rather than vendoring), since I don't > think we have any other examples of embedding a third party API in ours > (unless it's opaque) > > — > You are receiving this because you commented. > Reply to this email directly, view it on GitHub > <https://github.com/kubernetes/kubernetes/issues/ 39845#issuecomment-303242333>, > or mute the thread > <https://github.com/notifications/unsubscribe-auth/ ABYNbFj4EA4CEFFzUjn6YDpSLmqmJi5vks5r8hLmgaJpZM4LifTL> > . > -- Jessie Frazelle 4096R / D4C4 DD60 0D66 F65A 8EFC 511E 18F3 685C 0022 BFF3 pgp.mit.edu <http://pgp.mit.edu/pks/lookup?op=get&search= 0x18F3685C0022BFF3> — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#39845 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABYNbBZm91alwgzF1H1jqj6uylRuWWMaks5r8hPXgaJpZM4LifTL> .

[DjangoPeng]

@jessfraz So can we use the default profile to set seccomp as docker/default now?

[feiskyer]

I think we should spec the seccomp format first, refer #39128. or else, other container runtimes couldn't know how to process docker/default.

[jessfraz]

For other runtimes that is why we are using the docker default as a base... not literally docker/default. but yes we can spec it out

On Thu, May 25, 2017 at 04:02 Pengfei Ni ***@***.***> wrote: I think we should spec the seccomp format first, refer #39128 <#39128>. or else, other container runtimes couldn't know how to process docker/default. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#39845 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABYNbPXPe5BC0qtVMEg1Fa61gXHlO8zHks5r9TWagaJpZM4LifTL> .

-- Jessie Frazelle 4096R / D4C4 DD60 0D66 F65A 8EFC 511E 18F3 685C 0022 BFF3 pgp.mit.edu <http://pgp.mit.edu/pks/lookup?op=get&search=0x18F3685C0022BFF3>

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

Prevent issues from auto-closing with an /lifecycle frozen comment.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or @fejta.
/lifecycle stale

[justincormack]

/remove-lifecycle stale

[dims]

discussion on seccomp format is here : #52827

[liggitt]

not sure a docker-specific seccomp name is good as a default

[tallclair]

/assign @wangzhen127

[k8s-ci-robot]

@tallclair: GitHub didn't allow me to assign the following users: wangzhen127.

Note that only kubernetes members and repo collaborators can be assigned.

In response to this:

/assign @wangzhen127

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[k8s-ci-robot]

@wangzhen127: you can't re-open an issue/PR unless you authored it or you are assigned to it.

In response to this:

/reopen

There is followup work.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

[RRAlex]

/remove-lifecycle stale

[jesseendahl]

What's blocking this from happening at this point? cc @mayakacz @destijl

[dims]

long-term-issue (note to self)

[tallclair]

What's blocking this from happening at this point?

Generally, the fact that this a breaking change, and it's very hard to get breaking changes into Kubernetes these days, especially something that is hard to get visibility into.

Other issues are that this is still an "alpha" feature, but predates feature gates, so it's an alpha feature that's enabled in every cluster. Before changing the default, we probably need to promote the feature to GA, which includes:

1. Migrating the annotation to a pod field
2. Improving the profile management, so that profiles can be written as configmaps or k8s resources, and loaded by the node from there.
3. Create Kubernetes standard profiles, which can eventually be made the default (can be a copy of the docker default)

And possibly:

4. Create a tool for running seccomp in an "audit only" mode to capture any violations before potentially breaking workloads.

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

[fejta-bot]

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten

[fejta-bot]

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

[k8s-ci-robot]

@fejta-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.