Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Configure the default local seccomp profile according to the runtime #1255

Merged
merged 16 commits into from
Nov 17, 2022

Conversation

ccojocar
Copy link
Contributor

@ccojocar ccojocar commented Oct 21, 2022

What type of PR is this?

/kind bug

What this PR does / why we need it:

Currently the spod fails to start on cri-o runtime because unlike containerd or docker, the cri-o runtime expects the local seccomp profile to be prefixed with 'localhost'.

See for more details https://github.com/cri-o/cri-o/blob/1e6fd9c520d03d47835d1d4c3209e0f77c38f542/internal/config/seccomp/seccomp.go#L240

Which issue(s) this PR fixes:

Does this PR have test?

yes

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Configure the default local seccomp profile according to the runtime (e.g. cri-o expects the profile to be prefixed with `localhost`).

@k8s-ci-robot k8s-ci-robot added do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Oct 21, 2022
@k8s-ci-robot
Copy link
Contributor

Hi @ccojocar. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot requested review from jhrozek and pjbgf October 21, 2022 14:38
@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels Oct 21, 2022
@JAORMX
Copy link
Contributor

JAORMX commented Oct 21, 2022

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Oct 21, 2022
@ccojocar ccojocar force-pushed the fix_crio_default_profile branch from d8daa4a to cd2c7f4 Compare October 24, 2022 07:51
@ccojocar
Copy link
Contributor Author

/test all

@ccojocar
Copy link
Contributor Author

/test build

@k8s-ci-robot
Copy link
Contributor

@ccojocar: The specified target(s) for /test were not found.
The following commands are available to trigger required jobs:

  • /test pull-security-profiles-operator-build
  • /test pull-security-profiles-operator-build-image
  • /test pull-security-profiles-operator-test-e2e
  • /test pull-security-profiles-operator-test-unit
  • /test pull-security-profiles-operator-verify

Use /test all to run all jobs.

In response to this:

/test build

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@ccojocar
Copy link
Contributor Author

/test pull-security-profiles-operator-build

@JAORMX
Copy link
Contributor

JAORMX commented Oct 24, 2022

/retest

@codecov-commenter
Copy link

codecov-commenter commented Oct 24, 2022

Codecov Report

Merging #1255 (bcc11f8) into main (e87e953) will increase coverage by 0.00%.
The diff coverage is 42.85%.

Additional details and impacted files
@@           Coverage Diff           @@
##             main    #1255   +/-   ##
=======================================
  Coverage   44.80%   44.80%           
=======================================
  Files          48       48           
  Lines        5406     5432   +26     
=======================================
+ Hits         2422     2434   +12     
- Misses       2864     2876   +12     
- Partials      120      122    +2     

@ccojocar
Copy link
Contributor Author

/test pull-security-profiles-operator-test-e2e

@ccojocar
Copy link
Contributor Author

/test all

1 similar comment
@ccojocar
Copy link
Contributor Author

/test all

@ccojocar ccojocar force-pushed the fix_crio_default_profile branch from 0e612ba to 37ee2b6 Compare October 25, 2022 13:37
@ccojocar ccojocar force-pushed the fix_crio_default_profile branch 3 times, most recently from 92ce73c to 4776916 Compare November 4, 2022 08:05
@ccojocar
Copy link
Contributor Author

ccojocar commented Nov 4, 2022

/test all

1 similar comment
@ccojocar
Copy link
Contributor Author

ccojocar commented Nov 4, 2022

/test all

@ccojocar ccojocar force-pushed the fix_crio_default_profile branch from 4776916 to b1cb4a8 Compare November 4, 2022 10:18
@ccojocar
Copy link
Contributor Author

ccojocar commented Nov 4, 2022

/test all

@ccojocar ccojocar force-pushed the fix_crio_default_profile branch from 4828fbf to f28017a Compare November 16, 2022 15:37
@ccojocar
Copy link
Contributor Author

@saschagrunert All checks finally passed after some reworking. Please could you have a look? Thanks

@saschagrunert
Copy link
Member

Currently the spod fails to start on cri-o runtime because unlike containerd or docker, the cri-o runtime expects the local seccomp profile to be prefixed with 'localhost'.

I do not understand this. We test with CRI-O in the CI, so what is the error case?

@ccojocar
Copy link
Contributor Author

It seems to work on the CI because everything is copied into the root folder but we hit this place in our cluster when running on CRI-O: https://github.com/cri-o/cri-o/blob/1e6fd9c520d03d47835d1d4c3209e0f77c38f542/internal/config/seccomp/seccomp.go#L240

	// Load local seccomp profiles including their availability validation
	if !strings.HasPrefix(profilePath, k8sV1.SeccompLocalhostProfileNamePrefix) {
		return fmt.Errorf("unknown seccomp profile path: %q", profilePath)
	}

As far as I can understand, it expects that the profile is loaded from localhost/....

@saschagrunert
Copy link
Member

@ccojocar
Copy link
Contributor Author

I see but I don't get why in our case we hit the setupFromPath at least from what I see in the error message.

I was wondering because the fix here has no effect on CI cluster. The profile had to be copied under localhost in order to get it working on CI.

On the setupFromPath case the prefix gets stripped off after the check, right?
https://github.com/cri-o/cri-o/blob/1e6fd9c520d03d47835d1d4c3209e0f77c38f542/internal/config/seccomp/seccomp.go#L244

So essential, it doesn't need to be copy under localhost folder, just the localhost prefix needs to be part of the path in the security context.

@ccojocar
Copy link
Contributor Author

It might be because the Kubernetes version in that cluster is 1.22 and the Field based seccomp profiles are available in the newer version.

@ccojocar
Copy link
Contributor Author

@saschagrunert if we want to support older version of kubernetes, we will need to prefix the path in the security context. Right? Do you know in which version the switch was made to field base?

@saschagrunert
Copy link
Member

Hm, we introduced the fields in 1.19 with seccomp going GA. Do we also use CRI-O 1.22 with k8s 1.22?

@ccojocar
Copy link
Contributor Author

ccojocar commented Nov 17, 2022

Hm, we introduced the fields in 1.19 with seccomp going GA. Do we also use CRI-O 1.22 with k8s 1.22?

yeah, we use v1.22.5.

@ccojocar
Copy link
Contributor Author

We will eventually upgrade, but for now we need to support this.

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Nov 17, 2022
@ccojocar
Copy link
Contributor Author

I should revert the changes in non-root enabler which should not copy the profile under localhost but we still need to add the localhost prefix into the security context but also check the Kubernetes version. I am thinking that for newer version this is not required.

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ccojocar, saschagrunert

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 17, 2022
@ccojocar
Copy link
Contributor Author

@saschagrunert Thanks for approving but I think this is not the final fix. As mentioned above we don't need to copy under localhost folder because the prefix is stripped out.

@saschagrunert
Copy link
Member

/test pull-security-profiles-operator-test-e2e

@k8s-ci-robot k8s-ci-robot merged commit 7076fc1 into kubernetes-sigs:main Nov 17, 2022
@ccojocar ccojocar deleted the fix_crio_default_profile branch May 17, 2024 13:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants