New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement PodSecurityPolicy enforcement for seccomp GA #92856
Conversation
463acbd
to
620a965
Compare
/test pull-kubernetes-verify |
620a965
to
93fed06
Compare
/assign @liggitt kindly asking for review. |
/test pull-kubernetes-bazel-test |
93fed06
to
12734e6
Compare
Can we base this on #91408, and expose and use diff --git a/pkg/security/podsecuritypolicy/seccomp/strategy.go b/pkg/security/podsecuritypolicy/seccomp/strategy.go
index 0c8d3faf9e5..83d024dce74 100644
--- a/pkg/security/podsecuritypolicy/seccomp/strategy.go
+++ b/pkg/security/podsecuritypolicy/seccomp/strategy.go
@@ -83,6 +83,10 @@ func (s *strategy) Generate(annotations map[string]string, pod *api.Pod) (string
// Profile already set, nothing to do.
return annotations[api.SeccompPodAnnotationKey], nil
}
+ if pod.Spec.SecurityContext != nil && pod.Spec.SecurityContext.SeccompProfile != nil {
+ // Profile field already set, translate to annotation
+ return SeccompAnnotationForField(pod.Spec.SecurityContext.SeccompProfile), nil
+ }
return s.defaultProfile, nil
}
@@ -92,6 +96,10 @@ func (s *strategy) ValidatePod(pod *api.Pod) field.ErrorList {
allErrs := field.ErrorList{}
podSpecFieldPath := field.NewPath("pod", "metadata", "annotations").Key(api.SeccompPodAnnotationKey)
podProfile := pod.Annotations[api.SeccompPodAnnotationKey]
+ // if the annotation is not set, see if the field is set and derive the corresponding annotation value
+ if len(podProfile) == 0 && pod.Spec.SecurityContext != nil && pod.Spec.SecurityContext.SeccompProfile != nil {
+ podProfile = SeccompAnnotationForField(pod.Spec.SecurityContext.SeccompProfile)
+ }
if !s.allowAnyProfile && len(s.allowedProfiles) == 0 && podProfile != "" {
allErrs = append(allErrs, field.Forbidden(podSpecFieldPath, "seccomp may not be set"))
@@ -141,9 +149,19 @@ func (s *strategy) profileAllowed(profile string) bool {
// profileForContainer returns the container profile if set, otherwise the pod profile.
func profileForContainer(pod *api.Pod, container *api.Container) string {
+ if container.SecurityContext != nil && container.SecurityContext.SeccompProfile != nil {
+ // derive the annotation value from the container field
+ return SeccompAnnotationForField(container.SecurityContext.SeccompProfile)
+ }
containerProfile, ok := pod.Annotations[api.SeccompContainerAnnotationKeyPrefix+container.Name]
if ok {
+ // return the existing container annotation
return containerProfile
}
+ if pod.Spec.SecurityContext != nil && pod.Spec.SecurityContext.SeccompProfile != nil {
+ // derive the annotation value from the pod field
+ return SeccompAnnotationForField(pod.Spec.SecurityContext.SeccompProfile)
+ }
+ // return the existing pod annotation
return pod.Annotations[api.SeccompPodAnnotationKey]
} |
12734e6
to
357125a
Compare
357125a
to
b6ab756
Compare
/hold cancel |
Unfortunately it does not, we have to find another location for the utility methods:
|
Would At least import-boss does not complain if I import Edit: I think it will not work because both functions depend on |
You can add |
This implements the necessary pieced for the PodSecurityPolicy enforcement like described in the appropriate KEP section: https://github.com/kubernetes/enhancements/blob/master/keps/sig-node/20190717-seccomp-ga.md#podsecuritypolicy-enforcement Signed-off-by: Sascha Grunert <sgrunert@suse.com>
8b628f4
to
96fb83c
Compare
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: liggitt, saschagrunert The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/lgtm |
/retest |
8 similar comments
/retest |
/retest |
/retest |
/retest |
/retest |
/retest |
/retest |
/retest |
/retest Review the full test history for this PR. Silence the bot with an |
/retest |
2 similar comments
/retest |
/retest |
What type of PR is this?
/kind feature
What this PR does / why we need it:
This implements the necessary pieced for the PodSecurityPolicy
enforcement like described in the appropriate KEP section:
https://github.com/kubernetes/enhancements/blob/master/keps/sig-node/20190717-seccomp-ga.md#podsecuritypolicy-enforcement
Which issue(s) this PR fixes:
Refers to #91286
Special notes for your reviewer:
Based on #91408
Does this PR introduce a user-facing change?:
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: