-
Notifications
You must be signed in to change notification settings - Fork 107
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Configure the default local seccomp profile according to the runtime #1255
Configure the default local seccomp profile according to the runtime #1255
Conversation
Hi @ccojocar. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/ok-to-test |
d8daa4a
to
cd2c7f4
Compare
/test all |
/test build |
@ccojocar: The specified target(s) for
Use In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/test pull-security-profiles-operator-build |
/retest |
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## main #1255 +/- ##
=======================================
Coverage 44.80% 44.80%
=======================================
Files 48 48
Lines 5406 5432 +26
=======================================
+ Hits 2422 2434 +12
- Misses 2864 2876 +12
- Partials 120 122 +2 |
/test pull-security-profiles-operator-test-e2e |
/test all |
1 similar comment
/test all |
0e612ba
to
37ee2b6
Compare
92ce73c
to
4776916
Compare
/test all |
1 similar comment
/test all |
4776916
to
b1cb4a8
Compare
/test all |
4828fbf
to
f28017a
Compare
@saschagrunert All checks finally passed after some reworking. Please could you have a look? Thanks |
I do not understand this. We test with CRI-O in the CI, so what is the error case? |
It seems to work on the CI because everything is copied into the root folder but we hit this place in our cluster when running on CRI-O: https://github.com/cri-o/cri-o/blob/1e6fd9c520d03d47835d1d4c3209e0f77c38f542/internal/config/seccomp/seccomp.go#L240
As far as I can understand, it expects that the profile is loaded from |
This is the code path for the annotation based seccomp profile, but we're using the fields here, right? So we should land there: https://github.com/cri-o/cri-o/blob/1e6fd9c520d03d47835d1d4c3209e0f77c38f542/internal/config/seccomp/seccomp.go#L296-L302 |
I see but I don't get why in our case we hit the I was wondering because the fix here has no effect on CI cluster. The profile had to be copied under On the So essential, it doesn't need to be copy under localhost folder, just the localhost prefix needs to be part of the path in the security context. |
It might be because the Kubernetes version in that cluster is 1.22 and the |
@saschagrunert if we want to support older version of kubernetes, we will need to prefix the path in the security context. Right? Do you know in which version the switch was made to field base? |
Hm, we introduced the fields in 1.19 with seccomp going GA. Do we also use CRI-O 1.22 with k8s 1.22? |
yeah, we use |
We will eventually upgrade, but for now we need to support this. |
I should revert the changes in non-root enabler which should not copy the profile under |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ccojocar, saschagrunert The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@saschagrunert Thanks for approving but I think this is not the final fix. As mentioned above we don't need to copy under localhost folder because the prefix is stripped out. |
/test pull-security-profiles-operator-test-e2e |
What type of PR is this?
/kind bug
What this PR does / why we need it:
Currently the spod fails to start on cri-o runtime because unlike containerd or docker, the cri-o runtime expects the local seccomp profile to be prefixed with 'localhost'.
See for more details https://github.com/cri-o/cri-o/blob/1e6fd9c520d03d47835d1d4c3209e0f77c38f542/internal/config/seccomp/seccomp.go#L240
Which issue(s) this PR fixes:
Does this PR have test?
yes
Special notes for your reviewer:
Does this PR introduce a user-facing change?