-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Set seccomp profile to RuntimeDefault for calico-kube-controllers and calico-typha #6524
Set seccomp profile to RuntimeDefault for calico-kube-controllers and calico-typha #6524
Conversation
/sem-approve |
@coutinhop could you own reviewing this guy? |
Friendly ping @caseydavenport @coutinhop |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey @dimityrmirchev sorry for the delay for the review. I think this would be really good for us to have, but I'm not sure if adding this to all of the node daemonsets would work if they run as privileged. Have you tested these changes?
Also, we generate a lot of the manifests from our helm charts so a faster change might be to make the changes to those and then re-generate the manifests.
@@ -38,6 +38,9 @@ spec: | |||
- effect: NoExecute | |||
operator: Exists | |||
serviceAccountName: {{include "nodeName" . }} | |||
securityContext: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My understanding was that this won't make a difference for calico-node since it needs to run as privileged (though it doesn't seem to have the privileged
flag set here for some reason). Does this make sense to have here?
@@ -4381,6 +4381,9 @@ spec: | |||
- effect: NoExecute | |||
operator: Exists | |||
serviceAccountName: calico-node | |||
securityContext: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same as above
@@ -258,6 +258,9 @@ spec: | |||
- effect: NoExecute | |||
operator: Exists | |||
serviceAccountName: calico-node | |||
securityContext: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same as above
@@ -4378,6 +4378,9 @@ spec: | |||
- effect: NoExecute | |||
operator: Exists | |||
serviceAccountName: calico-node | |||
securityContext: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same as above
@@ -4412,6 +4412,9 @@ spec: | |||
- effect: NoExecute | |||
operator: Exists | |||
serviceAccountName: calico-node | |||
securityContext: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same as above
@@ -4376,6 +4376,9 @@ spec: | |||
- effect: NoExecute | |||
operator: Exists | |||
serviceAccountName: calico-node | |||
securityContext: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same as above
@@ -337,6 +337,9 @@ spec: | |||
- effect: NoExecute | |||
operator: Exists | |||
serviceAccountName: canal-node | |||
securityContext: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same as above
@@ -4400,6 +4400,9 @@ spec: | |||
- effect: NoExecute | |||
operator: Exists | |||
serviceAccountName: canal | |||
securityContext: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same as above
@@ -4378,6 +4378,9 @@ spec: | |||
- effect: NoExecute | |||
operator: Exists | |||
serviceAccountName: calico-node | |||
securityContext: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same as above
@@ -398,6 +398,9 @@ spec: | |||
- effect: NoExecute | |||
operator: Exists | |||
serviceAccountName: calico-node | |||
securityContext: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same as above
Hi @mgleung and thanks for reviewing this PR!
Setting
I created a kind cluster with disabled CNI, then applied the regenerated
Yes, this is what I did in order to change the files located in the |
Setting |
/sem-approve |
/sem-approve |
Description
We can enhance the
securityContext
ofcalico-node
,calico-kube-controllers
,calico-typha
by explicitly adding a "RuntimeDefault" seccomp profile.By default Kubernetes runs the pods with profile "Unconfined". Privileged containers always run with
Unconfined
profile (reference). Having said that this change will only affectcalico-kube-controllers
andcalico-typha
since all the containers incalico-node
are ran as privileged. The specifying of the seccomp profile there acts as a guardrails against:Unconfined
privileged: true
from a container definition and still running asUnconfined
Related issues/PRs
Todos
Release Note
Reminder for the reviewer
Make sure that this PR has the correct labels and milestone set.
Every PR needs one
docs-*
label.docs-pr-required
: This change requires a change to the documentation that has not been completed yet.docs-completed
: This change has all necessary documentation completed.docs-not-required
: This change has no user-facing impact and requires no docs.Every PR needs one
release-note-*
label.release-note-required
: This PR has user-facing changes. Most PRs should have this label.release-note-not-required
: This PR has no user-facing changes.Other optional labels:
cherry-pick-candidate
: This PR should be cherry-picked to an earlier release. For bug fixes only.needs-operator-pr
: This PR is related to install and requires a corresponding change to the operator.