From b43a08145a24ea90e740487ae698cbe838a0c4da Mon Sep 17 00:00:00 2001 From: Jed Lejosne Date: Fri, 27 Jan 2023 11:26:58 -0500 Subject: [PATCH] KubeVirt: enable the seccomp feature gate and custom profile (#2220) Signed-off-by: Jed Lejosne --- .../hyperconverged_controller_test.go | 8 ++++++++ controllers/operands/kubevirt.go | 19 +++++++++++++++++++ 2 files changed, 27 insertions(+) diff --git a/controllers/hyperconverged/hyperconverged_controller_test.go b/controllers/hyperconverged/hyperconverged_controller_test.go index 2d2f6458c..1d5e089bd 100644 --- a/controllers/hyperconverged/hyperconverged_controller_test.go +++ b/controllers/hyperconverged/hyperconverged_controller_test.go @@ -214,6 +214,7 @@ var _ = Describe("HyperconvergedController", func() { "WithHostPassthroughCPU", "VMExport", "DisableCustomSELinuxPolicy", + "KubevirtSeccompProfile", } // Get the KV kvList := &kubevirtcorev1.KubeVirtList{} @@ -224,6 +225,13 @@ var _ = Describe("HyperconvergedController", func() { Expect(kv.Spec.Configuration.DeveloperConfiguration.FeatureGates).To(HaveLen(len(expectedFeatureGates))) Expect(kv.Spec.Configuration.DeveloperConfiguration.FeatureGates).To(ContainElements(expectedFeatureGates)) + // Ensure the KubeVirt seccomp profile is set + Expect(kv.Spec.Configuration.SeccompConfiguration).ToNot(BeNil()) + Expect(kv.Spec.Configuration.SeccompConfiguration.VirtualMachineInstanceProfile).ToNot(BeNil()) + Expect(kv.Spec.Configuration.SeccompConfiguration.VirtualMachineInstanceProfile.CustomProfile).ToNot(BeNil()) + Expect(kv.Spec.Configuration.SeccompConfiguration.VirtualMachineInstanceProfile.CustomProfile.RuntimeDefaultProfile).To(BeFalse()) + Expect(*kv.Spec.Configuration.SeccompConfiguration.VirtualMachineInstanceProfile.CustomProfile.LocalhostProfile).To(Equal("kubevirt/kubevirt.json")) + res, err = r.Reconcile(context.TODO(), request) Expect(err).ToNot(HaveOccurred()) Expect(res).Should(Equal(reconcile.Result{Requeue: false})) diff --git a/controllers/operands/kubevirt.go b/controllers/operands/kubevirt.go index 07364f702..164343898 100644 --- a/controllers/operands/kubevirt.go +++ b/controllers/operands/kubevirt.go @@ -95,6 +95,9 @@ const ( // Disable the installation and usage of the custom SELinux policy kvDisableCustomSELinuxPolicyGate = "DisableCustomSELinuxPolicy" + + // Enable the installation of the KubeVirt seccomp profile + kvKubevirtSeccompProfile = "KubevirtSeccompProfile" ) var ( @@ -112,6 +115,7 @@ var ( kvNUMA, kvVMExportGate, kvDisableCustomSELinuxPolicyGate, + kvKubevirtSeccompProfile, } // holds a list of mandatory KubeVirt feature gates. Some of them are the hard coded feature gates and some of @@ -353,6 +357,8 @@ func getKVConfig(hc *hcov1beta1.HyperConverged) (*kubevirtcorev1.KubeVirtConfigu return nil, err } + seccompConfig := getKVSeccompConfig() + config := &kubevirtcorev1.KubeVirtConfiguration{ DeveloperConfiguration: devConfig, NetworkConfiguration: &kubevirtcorev1.NetworkConfiguration{ @@ -368,6 +374,7 @@ func getKVConfig(hc *hcov1beta1.HyperConverged) (*kubevirtcorev1.KubeVirtConfigu WebhookConfiguration: rateLimiter, ControllerConfiguration: rateLimiter, HandlerConfiguration: rateLimiter, + SeccompConfiguration: seccompConfig, } if smbiosConfig, ok := os.LookupEnv(smbiosEnvName); ok { @@ -568,6 +575,18 @@ func getKVDevConfig(hc *hcov1beta1.HyperConverged) (*kubevirtcorev1.DeveloperCon return devConf, nil } +// Static for now, could be configured in the HCO CR in the future +func getKVSeccompConfig() *kubevirtcorev1.SeccompConfiguration { + kubevirtProfile := "kubevirt/kubevirt.json" + return &kubevirtcorev1.SeccompConfiguration{ + VirtualMachineInstanceProfile: &kubevirtcorev1.VirtualMachineInstanceProfile{ + CustomProfile: &kubevirtcorev1.CustomProfile{ + LocalhostProfile: &kubevirtProfile, + }, + }, + } +} + func NewKubeVirtWithNameOnly(hc *hcov1beta1.HyperConverged, opts ...string) *kubevirtcorev1.KubeVirt { return &kubevirtcorev1.KubeVirt{ ObjectMeta: metav1.ObjectMeta{