Seccomp

[pweil-]

Description

Seccomp support is providing the ability to define seccomp profiles and configure pods to run with those profiles. This includes the ability control usage of the profiles via PSP as well as maintaining the ability to run as unconfined or with the default container runtime profile.

KEP: sig-node/20190717-seccomp-ga.md
Latest PR to update the KEP: #1747

Progress Tracker

• Alpha
  • Write and maintain draft quality doc: available in downstream OpenShift more detailed seccomp documentation openshift/openshift-docs#2975
  • Design Approval
    • Design Proposal #24602
    • Decide which repo this feature's code will be checked into. Not everything needs to land in the core kubernetes repo. REPO-NAME
    • Initial API review (if API). Maybe same PR as design doc. Seccomp Proposal kubernetes#24602
      • Any code that changes an API (/pkg/apis/...)
      • cc @kubernetes/api
    • Identify shepherd (your SIG lead and/or [email protected] will be able to help you). My Shepherd is: [email protected] (and/or GH Handle)
      • A shepherd is an individual who will help acquaint you with the process of getting your feature into the repo, identify reviewers and provide feedback on the feature. They are not (necessarily) the code reviewer of the feature, or tech lead for the area.
      • The shepherd is not responsible for showing up to Kubernetes-PM meetings and/or communicating if the feature is on-track to make the release goals. That is still your responsibility.
    • Identify secondary/backup contact point. My Secondary Contact Point is: [email protected] (and/or GH Handle)
  • Write (code + tests + docs) then get them merged. Add Seccomp to Annotations kubernetes#25324 Move /seccomp/ into domain prefix in seccomp annotations kubernetes#26710 Filter seccomp profile path from malicious .. and / kubernetes#27036
    • Code needs to be disabled by default. Verified by code OWNERS
    • Minimal testing: limited e2e tests https://github.com/kubernetes/kubernetes/blob/33ebe1f18b9cf5909931376f656e19e80ac9ac1c/test/e2e/security_context.go#L110
    • Minimal docs
      • cc @kubernetes/docs on docs PR
      • cc @kubernetes/feature-reviewers on this issue to get approval before checking this off
      • New apis: Glossary Section Item in the docs repo: kubernetes/kubernetes.github.io
    • Update release notes https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG.md/#changes-since-v130-alpha4
• Beta
  • Testing is sufficient for beta
  • User docs with tutorials
    • Updated walkthrough / tutorial in the docs repo: kubernetes/kubernetes.github.io
    • cc @kubernetes/docs on docs PR
    • cc @kubernetes/feature-reviewers on this issue to get approval before checking this off
  • Thorough API review
    • cc @kubernetes/api
• Stable
  • docs/proposals/foo.md moved to docs/design/foo.md
    • cc @kubernetes/feature-reviewers on this issue to get approval before checking this off
  • Soak, load testing
  • detailed user docs and examples
    • cc @kubernetes/docs
    • cc @kubernetes/feature-reviewers on this issue to get approval before checking this off

FEATURE_STATUS is used for feature tracking and to be updated by @kubernetes/feature-reviewers.
FEATURE_STATUS: IN_DEVELOPMENT

More advice:

Design

• Once you get LGTM from a @kubernetes/feature-reviewers member, you can check this checkbox, and the reviewer will apply the "design-complete" label.

Coding

• Use as many PRs as you need. Write tests in the same or different PRs, as is convenient for you.
• As each PR is merged, add a comment to this issue referencing the PRs. Code goes in the http://github.com/kubernetes/kubernetes repository,
  and sometimes http://github.com/kubernetes/contrib, or other repos.
• When you are done with the code, apply the "code-complete" label.
• When the feature has user docs, please add a comment mentioning @kubernetes/feature-reviewers and they will
  check that the code matches the proposed feature and design, and that everything is done, and that there is adequate
  testing. They won't do detailed code review: that already happened when your PRs were reviewed.
  When that is done, you can check this box and the reviewer will apply the "code-complete" label.

Docs

• Write user docs and get them merged in.
• User docs go into http://github.com/kubernetes/kubernetes.github.io.
• When the feature has user docs, please add a comment mentioning @kubernetes/docs.
• When you get LGTM, you can check this checkbox, and the reviewer will apply the "docs-complete" label.

[pweil-]

@derekwaynecarr @sttts @erictune didn't see an issue for this but it is already in alpha. Creating this as the reminder to push it through to beta and stable.

@sttts could you provide the appropriate links to docs and PRs? I think you are closest to this code.

[derekwaynecarr]

@pweil- @sttts - per our discussion, this is a feature we would like to sponsor in Kubernetes 1.6 under @kubernetes/sig-node

[idvoretskyi]

@pweil- @derekwaynecarr please, confirm that this feature has to be set with 1.6 milestone.

[sttts]

@idvoretskyi we target to move it to beta for 1.6.

[idvoretskyi]

@sttts thanks.

[bgrant0607]

Looks like this is still alpha:

https://github.com/kubernetes/community/blob/master/contributors/design-proposals/seccomp.md
https://github.com/kubernetes/kubernetes/blob/master/pkg/api/annotation_key_constants.go#L35

And I couldn't find any documentation on kubernetes.io/docs.

[idvoretskyi]

@pweil- any updates for 1.8? Is this feature still on track for the release?

[pweil-]

@idvoretskyi this was not a priority for 1.8. @php-coder can you add a card to this for our PM planning? We need to stop letting this fall through the cracks and get it moved to beta and GA.

[idvoretskyi]

@pweil- if this feature is not planned for 1.8 - please, update the milestone with the "next-milestone" or "1.9"

[tallclair]

I'd like to see this get to beta. Priorities (or requirements) for that include:

1. Annotations (Pod & PodSecurityPolicy) must be moved to fields on the container SecurityContext (see https://github.com/kubernetes/community/blob/master/contributors/devel/api_changes.md#alpha-field-in-existing-api-version)
2. Settle on the OCI spec seccomp format, and define a Kubernetes default profile (can we reuse Docker's?) Proposal: spec the seccomp profile format kubernetes#39128
   a. Figure out how the Kubernetes profile is delivered to the container runtime via CRI (/cc @yujuhong @Random-Liu )
   b. docker/default should still be allowed if the runtime is docker (for backwards compatibility)
3. The Kubernetes default profile should be the new default. For backwards compatibility, this MUST be optional behavior (i.e. flag controlled). Change seccomp default to 'docker/default' kubernetes#39845

Is anyone interested in driving this work for the 1.9 (or 1.10) milestone? @jessfraz @kubernetes/sig-auth-feature-requests and @kubernetes/sig-node-feature-requests I'm looking at you 😉

Also relevant: kubernetes/community#660 (do we need to settle the decisions in that PR before proceeding?)

[tallclair]

/cc @destijl

[jessfraz]

If someone has time and wants to do it they are more than welcome to and I will help answer any questions

…

On Sep 22, 2017 20:54, "Tim Allclair (St. Clair)" ***@***.***> wrote: /cc @destijl <https://github.com/destijl> — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#135 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABYNbDldlrwbOP75Y2AKM-bUFLnwrq0eks5slFbcgaJpZM4KgBy_> .

[jessfraz]

ok I will update the proposal and start on this tomorrow if no one else will ;)

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[pjbgf]

/remove-lifecycle stale

[tallclair]

/lifecycle frozen

@pjbgf @saschagrunert Are we just keeping this open to track the annotation removal at this point?

I think the only remaining task is to stop copying annotations to fields, in v1.27?

[saschagrunert]

@pjbgf @saschagrunert Are we just keeping this open to track the annotation removal at this point?

I think the only remaining task is to stop copying annotations to fields, in v1.27?

Yep, exactly let's keep it open to track this last point.

[saschagrunert]

I assume that we're now aim to close out this one for 1.27 (kubernetes/kubernetes#91286 (comment)).

[saschagrunert]

This can be considered as done now.

[sftim]

Is this definitely done? It looks like the docs might not be finished.

[sftim]

We should document all features that graduate to GA. I think that's especially important for security controls.
/reopen

to track the remaining work.

[k8s-ci-robot]

@sftim: Reopened this issue.

In response to this:

We should document all features that graduate to GA. I think that's especially important for security controls.
/reopen

to track the remaining work.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[kannon92]

@saschagrunert @tallclair @sftim What are the action items for 1.32 for this feature?

[sftim]

I think seccomp is stable; I reopened this because we want GA-quality docs (I assume we do). However, docs are continuously delivered so no need to make 1.32 plans around documentation

Pages / sections we might update:

• https://kubernetes.io/docs/concepts/workloads/pods/#pod-security
• https://kubernetes.io/docs/concepts/security/linux-kernel-security-constraints/
• https://kubernetes.io/docs/concepts/security/#workload-protection

I know that AppArmor is also underdocumented, however whether or not AppArmor is well documented, we should add a bit more detail about what goes into the seccompProfile field - a reference page within https://kubernetes.io/docs/reference/node/ would really help. We have https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1 but that page links on to the task page, not to a detailed reference.

[saschagrunert]

I guess we can update https://kubernetes.io/docs/reference/node to contain a seccomp page.

We also have https://kubernetes.io/docs/tutorials/security/seccomp

[kannon92]

Since this is stable, can you create issues in k8s/website to enhance docs for this?

/close

[k8s-ci-robot]

@kannon92: Closing this issue.

In response to this:

Since this is stable, can you create issues in k8s/website to enhance docs for this?

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[sftim]

I'm loth to see KEPs closed without staffing work that should have been done before graduation, but I can't force the issue.

[sftim]

Since this is stable, can you create issues in k8s/website to enhance docs for this?

Doing that work isn't a priority for me. Happy for someone else to.

[saschagrunert]

Opened kubernetes/website#47687 to track the work.