Add documentation for Seccomp GA #21278
Conversation
k8s-ci-robot
added
the
do-not-merge/work-in-progress
|
@hasheddan: GitHub didn't allow me to request PR reviews from the following users: evrardjp. Note that only kubernetes members and repo collaborators can review this PR, and authors cannot review their own PRs. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
cncf-cla: yes
|
Deploy preview for kubernetes-io-master-staging ready! Built with commit 3582c8d https://deploy-preview-21278--kubernetes-io-master-staging.netlify.app |
pjbgf
left a comment
pjbgf
left a comment
There was a problem hiding this comment.
@hasheddan thanks for pushing ahead with the seccomp documentation. 👍
saschagrunert
left a comment
saschagrunert
left a comment
There was a problem hiding this comment.
Thank you for starting with this @hasheddan 🙏 !
|
Hi @hasheddan, Thank you for the PR. If this is a part of release 1.19, which I assume it is, can you open this PR against |
|
@savitharaghunathan sure thing! Thanks for letting me know! |
k8s-ci-robot
added
size/XXL
|
Deploy preview for kubernetes-io-vnext-staging processing. Building with commit 3ad7ea7 https://app.netlify.com/sites/kubernetes-io-vnext-staging/deploys/5f15e80f1dd204000701b67b |
k8s-ci-robot
added
size/S
|
/milestone 1.19 |
|
/sig node |
k8s-ci-robot
added
the
sig/node
sftim
left a comment
sftim
left a comment
There was a problem hiding this comment.
Here's some early feedback.
As well as the suggested rewording, I have a question.
What happens to the --seccomp-profile-root command line setting to the kubelet? What if I set this to, eg, /run/foo in 1.19 - does that error out? Does the kubelet silently ignore the command line setting?
k8s-ci-robot
added
needs-rebase
| `--seccomp-profile-root` flag on the Kubelet. (Note: this flag has been | ||
| deprecated in v1.19 and will be removed in v1.23. The seccomp root path will | ||
| then be derived from the kubelet root path, which is defined by `--root-dir`. | ||
| The current default value is `<root-dir>/seccomp`.) |
There was a problem hiding this comment.
| `--seccomp-profile-root` flag on the Kubelet. (Note: this flag has been | |
| deprecated in v1.19 and will be removed in v1.23. The seccomp root path will | |
| then be derived from the kubelet root path, which is defined by `--root-dir`. | |
| The current default value is `<root-dir>/seccomp`.) | |
| `--seccomp-profile-root` flag on the kubelet. | |
| {{< note >}} | |
| Kubernetes v1.19 deprecated the `--seccomp-profile-root` flag, which will be removed in | |
| Kubernetes v1.23. The seccomp root path will then be derived from the kubelet root path, | |
| which is defined by `--root-dir`. The current default value is `<root-dir>/seccomp`. | |
| {{< /note >}} |
or, with avoid statements about the future in mind:
| `--seccomp-profile-root` flag on the Kubelet. (Note: this flag has been | |
| deprecated in v1.19 and will be removed in v1.23. The seccomp root path will | |
| then be derived from the kubelet root path, which is defined by `--root-dir`. | |
| The current default value is `<root-dir>/seccomp`.) | |
| the seccomp root path for that node. The default seccomp root path is a directory | |
| named `seccomp` directly beneath the kubelet's root directory (specified via the | |
| `--root-dir` command line flag to the kubelet). | |
| {{< note >}} | |
| The `--seccomp-profile-root` flag (deprecated since Kubernetes v1.19) allowed you to configure | |
| the seccomp root path for a node. To use the defined behavior, leave that flag unset so that the | |
| kubelet uses its default. | |
| {{< /note >}} |
There was a problem hiding this comment.
@hasheddan , avoid statements/promises/predictions about the future.
| --- | ||
| reviewers: | ||
| - stclair | ||
| title: AppArmor |
There was a problem hiding this comment.
Consider revising this title in the PR that introduces a Seccomp tutorial.
|
@sftim how would opening a separate PR work with docs freeze? This PR was marked ready for review before the deadline but a new one would not have been. |
@hasheddan the website itself uses a continuous deployment pipeline. To get your change into a release (v1.19) you must document it, and this documentation has an impending deadline for when your feature documentation must be ready. But, you can split this PR into a minimum-viable amount of documentation and a separate PR with the tutorial in it, both targeting dev-1.19. Once #21278 (this PR) merges, and a putative separate PR for adding the seccomp tutorial has /lgtm, then that separate tutorial PR is good to merge into dev-1.19, ahead of the release. If the separate tutorial misses the opportunity to merge into the dev-1.19 branch you can change its merge target to master, after v1.19 is released, and it'll still be ready for approval, automated merge, and publishing. Essentially: whilst it's nice to add that tutorial for using Seccomp, not adding that tutorial doesn't block or delay the v1.19 release. @savitharaghunathan & @kubernetes/sig-docs-leads does that sound right? If I've got a detail wrong there please jump in. |
| ## {{% heading "prerequisites" %}} | ||
|
|
||
| In order to complete all steps in this tutorial, you must install | ||
| [kind](https://kind.sigs.k8s.io/docs/user/quick-start/) and |
There was a problem hiding this comment.
Is it straightforward to port the tutorial to use minikube?
|
|
||
| ## Create Pod with Seccomp Profile for Syscall Auditing | ||
|
|
||
| Next we want to apply our `audit.json` profile, which will log all syscalls of |
There was a problem hiding this comment.
Next , apply the audit.json profile. The audit.json profile logs all syscalls of the process to a new Pod.
| If you are using a pre-v1.19 Kubernetes version, download this manifest as | ||
| `audit-pod.yaml`. | ||
|
|
||
| {{< codenew file="pods/security/seccomp/alpha/audit-pod.yaml" >}} | ||
|
|
||
| If using Kubernetes v1.19 or later, download this manifest as `audit-pod.yaml`. | ||
|
|
||
| {{< codenew file="pods/security/seccomp/ga/audit-pod.yaml" >}} |
There was a problem hiding this comment.
A viable alternative: get a version of this tutorial for v1.18 merged into master, and then revise it for v1.19
In the v1.19 and later versions, tell the reader to look at the v1.18 version if they're using an older cluster.
| audit-pod 1/1 Running 0 30s | ||
| ``` | ||
|
|
||
| We want to be able to interact with this endpoint exposed by this container, so |
There was a problem hiding this comment.
nit, clean up we and let's:
To interact with this endpoint exposed by this container, create a NodePort service that allows access
to the endpoint from inside your kind control plane container.
| ``` | ||
|
|
||
| Now we will be able to `curl` the endpoint from inside the kind control plane | ||
| container at the port exposed by this Service. |
There was a problem hiding this comment.
Clean up: Now we will be able ...
| ``` | ||
| docker exec -it 6a96207fed4b curl localhost:32373 | ||
| ``` | ||
|
|
There was a problem hiding this comment.
Is this the output?
If so, could add text before the code block to explain.
There was a problem hiding this comment.
This is a command, added some text to indicate so 👍
|
|
||
| {{< codenew file="pods/security/seccomp/alpha/default-pod.yaml" >}} | ||
|
|
||
| If using Kubernetes v1.19 or later, set the field. |
|
Looking at this again. |
|
Hello @hasheddan . Thanks for this PR. |
|
@savitharaghunathan , What is the absolute last day/time for accepting 1.19 docs changes? |
@kbhawkey It is EOD PST time today :) However, this particular PR has obtained approvals to be merged after the deadline. |
k8s-ci-robot
removed
the
lgtm
|
@sftim @kbhawkey thank you for your thoughtful reviews and your patience! I believe I have now addressed all comments, and have made the explanation of using both GA and alpha seccomp cleaner by using tabs. I have not yet moved the tutorial from kind to minikube, and would advocate for keeping kind and adding minikube because I think the kind setup is useful information. Seccomp should work on any Kubernetes cluster where it is enabled, so it does not make a huge difference what tool or service is used. I am starting work on adding minikube support here, but please let me know if you think it is not necessary. Thanks again for your work! |
Signed-off-by: hasheddan <[email protected]>
|
@zacharysarah commits squashed 👍 |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: zacharysarah The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
12 participants
Signed-off-by: hasheddan [email protected]
This is adds documentation for the Seccomp GA KEP: kubernetes/enhancements#135
Tasks still to be completed:
/content/en/docs/concepts/security/pod-security-standards.md/content/en/docs/tasks/configure-pod-container/security-context.mdwith a short section on settingseccompProfilefields/content/en/docs/tutorials/clusters/seccomp.md/cc @saschagrunert @pjbgf @evrardjp