Add seccomp least privilege for docker sandbox

[pjbgf]

What type of PR is this?
/kind bug

What this PR does / why we need it:
Decreases the sandbox's attack surface by running it with no-new-privileges and with the runtime/default seccomp profile.

As a side effect, it allows end users to set seccomp profiles at pod level with the same profile as they would for container level, considering the pod only has containers with AllowPrivilegeEscalation=false.

Without this PR users had to whitelist some syscalls regardless of their containers needing them: capset, set_tid_address, setgid, setgroups, setuid and etc. More information and examples at #84623.

Which issue(s) this PR fixes:
Part of #84623 (for dockershim)
Part of #81115 (for sandbox)

Special notes for your reviewer:
Feature parity for kuberuntime will be done through a different PR.

Does this PR introduce a user-facing change?:

dockershim security: pod sandbox now always run with `no-new-privileges` and `runtime/default` seccomp profile
dockershim seccomp: custom profiles can now have smaller seccomp profiles when set at pod level

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

NONE

/cc @tallclair @Random-Liu @dims @mattjmcnaughton
/sig node
/area security

[pjbgf]

@tallclair @Random-Liu would this be a feasible fix for v1.19?

/area security

[pjbgf]

/assign @derekwaynecarr

[pjbgf]

/test pull-kubernetes-e2e-kind
/test pull-kubernetes-conformance-kind-ga-only-parallel

[pjbgf]

/test pull-kubernetes-verify

[mattjmcnaughton]

/uncc

I'll follow along here, but unfortunately not sure I have the context to approve/request changes on this change.

[pjbgf]

Adding @tallclair given that this is related to seccomp.

/assign @tallclair

[pjbgf]

/cc @hasheddan @evrardjp @saschagrunert

[k8s-ci-robot]

@pjbgf: GitHub didn't allow me to request PR reviews from the following users: evrardjp.

Note that only kubernetes members and repo collaborators can review this PR, and authors cannot review their own PRs.

In response to this:

/cc @hasheddan @evrardjp @saschagrunert

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[pjbgf]

@liggitt Would be good to consider this as part of validating seccomp GA, as the current behaviour is not very user friendly.

/cc @liggitt

[pjbgf]

/test pull-kubernetes-e2e-gce-ubuntu-containerd

[hasheddan]

/lgtm

Looking forward to this functionality. Another example of a seccomp profile for a Pod that has to be overly verbose for the syscalls required by the single container can be found in the seccomp GA docs PR: https://github.com/kubernetes/website/pull/21278/files#diff-f55fbc3a157f149b16c43d874a26d4b5

[derekwaynecarr]

/lgtm
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: derekwaynecarr, pjbgf

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• pkg/kubelet/OWNERS [derekwaynecarr]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[fejta-bot]

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

[pjbgf]

/retest

[pjbgf]

/retest

[saschagrunert]

/retest

[saschagrunert]

/retest

[saschagrunert]

/test pull-kubernetes-e2e-kind

[qingsenLi]

I met an issue
When os and docker enable selinux,k8s set seLinuxOptions,than sandbox container start failed.
k8s version: 1.19.4
k8s logs:
Failed to create pod sandbox: rpc error: code = Unknown desc = failed to set up sandbox container "c45b54a455eae51c4d604cb8b10d18060b8a1134cc2b923fff5045dfe838d91d" network for pod "nginx-cfb5s": networkPlugin cni failed to set up pod "nginx-cfb5s_default" network: failed to Statfs "/proc/74455/ns/net": no such file or directory

[root@default-np-1:/home/ubuntu]$ docker logs 0f825721defb (sandbox container)
standard_init_linux.go:175: exec user process caused "operation not permitted"

docker inspect shows:
"SecurityOpt": [
"label=level:s0:c0,c1023",
"no-new-privileges"
],

When removed "no-new-privileges", sandbox container start success.
code:
func (ds *dockerService) getSandBoxSecurityOpts(separator rune) []string {
// run sandbox with no-new-privileges and using runtime/default
// sending no "seccomp=" means docker will use default profile
// return []string{"no-new-privileges"}
return nil

I don't kown what happened,I find this PR about "no-new-privileges" for help.thanks
/assign @pjbgf @derekwaynecarr