KubeVirt: enable the seccomp feature gate and custom profile (#2220)

Signed-off-by: Jed Lejosne <jed@redhat.com>
kubevirt · Jan 27, 2023 · b43a081 · b43a081
1 parent 8596bc0
commit b43a081
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 0 deletions.
diff --git a/controllers/hyperconverged/hyperconverged_controller_test.go b/controllers/hyperconverged/hyperconverged_controller_test.go
@@ -214,6 +214,7 @@ var _ = Describe("HyperconvergedController", func() {
 					"WithHostPassthroughCPU",
 					"VMExport",
 					"DisableCustomSELinuxPolicy",
+					"KubevirtSeccompProfile",
 				}
 				// Get the KV
 				kvList := &kubevirtcorev1.KubeVirtList{}
@@ -224,6 +225,13 @@ var _ = Describe("HyperconvergedController", func() {
 				Expect(kv.Spec.Configuration.DeveloperConfiguration.FeatureGates).To(HaveLen(len(expectedFeatureGates)))
 				Expect(kv.Spec.Configuration.DeveloperConfiguration.FeatureGates).To(ContainElements(expectedFeatureGates))
 
+				// Ensure the KubeVirt seccomp profile is set
+				Expect(kv.Spec.Configuration.SeccompConfiguration).ToNot(BeNil())
+				Expect(kv.Spec.Configuration.SeccompConfiguration.VirtualMachineInstanceProfile).ToNot(BeNil())
+				Expect(kv.Spec.Configuration.SeccompConfiguration.VirtualMachineInstanceProfile.CustomProfile).ToNot(BeNil())
+				Expect(kv.Spec.Configuration.SeccompConfiguration.VirtualMachineInstanceProfile.CustomProfile.RuntimeDefaultProfile).To(BeFalse())
+				Expect(*kv.Spec.Configuration.SeccompConfiguration.VirtualMachineInstanceProfile.CustomProfile.LocalhostProfile).To(Equal("kubevirt/kubevirt.json"))
+
 				res, err = r.Reconcile(context.TODO(), request)
 				Expect(err).ToNot(HaveOccurred())
 				Expect(res).Should(Equal(reconcile.Result{Requeue: false}))

diff --git a/controllers/operands/kubevirt.go b/controllers/operands/kubevirt.go
@@ -95,6 +95,9 @@ const (
 
 	// Disable the installation and usage of the custom SELinux policy
 	kvDisableCustomSELinuxPolicyGate = "DisableCustomSELinuxPolicy"
+
+	// Enable the installation of the KubeVirt seccomp profile
+	kvKubevirtSeccompProfile = "KubevirtSeccompProfile"
 )
 
 var (
@@ -112,6 +115,7 @@ var (
 		kvNUMA,
 		kvVMExportGate,
 		kvDisableCustomSELinuxPolicyGate,
+		kvKubevirtSeccompProfile,
 	}
 
 	// holds a list of mandatory KubeVirt feature gates. Some of them are the hard coded feature gates and some of
@@ -353,6 +357,8 @@ func getKVConfig(hc *hcov1beta1.HyperConverged) (*kubevirtcorev1.KubeVirtConfigu
 		return nil, err
 	}
 
+	seccompConfig := getKVSeccompConfig()
+
 	config := &kubevirtcorev1.KubeVirtConfiguration{
 		DeveloperConfiguration: devConfig,
 		NetworkConfiguration: &kubevirtcorev1.NetworkConfiguration{
@@ -368,6 +374,7 @@ func getKVConfig(hc *hcov1beta1.HyperConverged) (*kubevirtcorev1.KubeVirtConfigu
 		WebhookConfiguration:         rateLimiter,
 		ControllerConfiguration:      rateLimiter,
 		HandlerConfiguration:         rateLimiter,
+		SeccompConfiguration:         seccompConfig,
 	}
 
 	if smbiosConfig, ok := os.LookupEnv(smbiosEnvName); ok {
@@ -568,6 +575,18 @@ func getKVDevConfig(hc *hcov1beta1.HyperConverged) (*kubevirtcorev1.DeveloperCon
 	return devConf, nil
 }
 
+// Static for now, could be configured in the HCO CR in the future
+func getKVSeccompConfig() *kubevirtcorev1.SeccompConfiguration {
+	kubevirtProfile := "kubevirt/kubevirt.json"
+	return &kubevirtcorev1.SeccompConfiguration{
+		VirtualMachineInstanceProfile: &kubevirtcorev1.VirtualMachineInstanceProfile{
+			CustomProfile: &kubevirtcorev1.CustomProfile{
+				LocalhostProfile: &kubevirtProfile,
+			},
+		},
+	}
+}
+
 func NewKubeVirtWithNameOnly(hc *hcov1beta1.HyperConverged, opts ...string) *kubevirtcorev1.KubeVirt {
 	return &kubevirtcorev1.KubeVirt{
 		ObjectMeta: metav1.ObjectMeta{