Add seccomp enforcement and validation based on new GA fields

Adds seccomp validation.

This ensures that field and annotation values must match when present.

Co-authored-by: Sascha Grunert <[email protected]>

Author: pjbgf

api/openapi-spec/swagger.json

@@ -39,17 +39,20 @@ const (
 
 	// SeccompPodAnnotationKey represents the key of a seccomp profile applied
 	// to all containers of a pod.
+	// Deprecated: set a pod security context `seccompProfile` field.
 	SeccompPodAnnotationKey string = "seccomp.security.alpha.kubernetes.io/pod"
 
 	// SeccompContainerAnnotationKeyPrefix represents the key of a seccomp profile applied
 	// to one container of a pod.
+	// Deprecated: set a container security context `seccompProfile` field.
 	SeccompContainerAnnotationKeyPrefix string = "container.seccomp.security.alpha.kubernetes.io/"
 
 	// SeccompProfileRuntimeDefault represents the default seccomp profile used by container runtime.
+	// Deprecated: set a pod or container security context `seccompProfile` of type "RuntimeDefault" instead.
 	SeccompProfileRuntimeDefault string = "runtime/default"
 
 	// DeprecatedSeccompProfileDockerDefault represents the default seccomp profile used by docker.
-	// This is now deprecated and should be replaced by SeccompProfileRuntimeDefault.
+	// Deprecated: set a pod or container security context `seccompProfile` of type "RuntimeDefault" instead.
 	DeprecatedSeccompProfileDockerDefault string = "docker/default"
 
 	// PreferAvoidPodsAnnotationKey represents the key of preferAvoidPods data (json serialized)

pkg/apis/core/annotation_key_constants.go

@@ -34,23 +34,23 @@ type ContainerVisitorWithPath func(container *api.Container, path *field.Path) b
 // of every container in the given pod spec and the field.Path to that container.
 // If visitor returns false, visiting is short-circuited. VisitContainersWithPath returns true if visiting completes,
 // false if visiting was short-circuited.
-func VisitContainersWithPath(podSpec *api.PodSpec, visitor ContainerVisitorWithPath) bool {
-	path := field.NewPath("spec", "initContainers")
+func VisitContainersWithPath(podSpec *api.PodSpec, specPath *field.Path, visitor ContainerVisitorWithPath) bool {
+	fldPath := specPath.Child("initContainers")
 	for i := range podSpec.InitContainers {
-		if !visitor(&podSpec.InitContainers[i], path.Index(i)) {
+		if !visitor(&podSpec.InitContainers[i], fldPath.Index(i)) {
 			return false
 		}
 	}
-	path = field.NewPath("spec", "containers")
+	fldPath = specPath.Child("containers")
 	for i := range podSpec.Containers {
-		if !visitor(&podSpec.Containers[i], path.Index(i)) {
+		if !visitor(&podSpec.Containers[i], fldPath.Index(i)) {
 			return false
 		}
 	}
 	if utilfeature.DefaultFeatureGate.Enabled(features.EphemeralContainers) {
-		path = field.NewPath("spec", "ephemeralContainers")
+		fldPath = specPath.Child("ephemeralContainers")
 		for i := range podSpec.EphemeralContainers {
-			if !visitor((*api.Container)(&podSpec.EphemeralContainers[i].EphemeralContainerCommon), path.Index(i)) {
+			if !visitor((*api.Container)(&podSpec.EphemeralContainers[i].EphemeralContainerCommon), fldPath.Index(i)) {
 				return false
 			}
 		}

pkg/apis/core/pods/helpers.go

@@ -32,16 +32,19 @@ func TestVisitContainersWithPath(t *testing.T) {
 
 	testCases := []struct {
 		description string
+		path        *field.Path
 		haveSpec    *api.PodSpec
 		wantNames   []string
 	}{
 		{
 			"empty podspec",
+			field.NewPath("spec"),
 			&api.PodSpec{},
 			[]string{},
 		},
 		{
 			"regular containers",
+			field.NewPath("spec"),
 			&api.PodSpec{
 				Containers: []api.Container{
 					{Name: "c1"},
@@ -52,6 +55,7 @@ func TestVisitContainersWithPath(t *testing.T) {
 		},
 		{
 			"init containers",
+			field.NewPath("spec"),
 			&api.PodSpec{
 				InitContainers: []api.Container{
 					{Name: "i1"},
@@ -62,6 +66,7 @@ func TestVisitContainersWithPath(t *testing.T) {
 		},
 		{
 			"regular and init containers",
+			field.NewPath("spec"),
 			&api.PodSpec{
 				Containers: []api.Container{
 					{Name: "c1"},
@@ -76,6 +81,7 @@ func TestVisitContainersWithPath(t *testing.T) {
 		},
 		{
 			"ephemeral containers",
+			field.NewPath("spec"),
 			&api.PodSpec{
 				Containers: []api.Container{
 					{Name: "c1"},
@@ -89,6 +95,7 @@ func TestVisitContainersWithPath(t *testing.T) {
 		},
 		{
 			"all container types",
+			field.NewPath("spec"),
 			&api.PodSpec{
 				Containers: []api.Container{
 					{Name: "c1"},
@@ -105,11 +112,30 @@ func TestVisitContainersWithPath(t *testing.T) {
 			},
 			[]string{"spec.initContainers[0]", "spec.initContainers[1]", "spec.containers[0]", "spec.containers[1]", "spec.ephemeralContainers[0]", "spec.ephemeralContainers[1]"},
 		},
+		{
+			"all container types with template pod path",
+			field.NewPath("template", "spec"),
+			&api.PodSpec{
+				Containers: []api.Container{
+					{Name: "c1"},
+					{Name: "c2"},
+				},
+				InitContainers: []api.Container{
+					{Name: "i1"},
+					{Name: "i2"},
+				},
+				EphemeralContainers: []api.EphemeralContainer{
+					{EphemeralContainerCommon: api.EphemeralContainerCommon{Name: "e1"}},
+					{EphemeralContainerCommon: api.EphemeralContainerCommon{Name: "e2"}},
+				},
+			},
+			[]string{"template.spec.initContainers[0]", "template.spec.initContainers[1]", "template.spec.containers[0]", "template.spec.containers[1]", "template.spec.ephemeralContainers[0]", "template.spec.ephemeralContainers[1]"},
+		},
 	}
 
 	for _, tc := range testCases {
 		gotNames := []string{}
-		VisitContainersWithPath(tc.haveSpec, func(c *api.Container, p *field.Path) bool {
+		VisitContainersWithPath(tc.haveSpec, tc.path, func(c *api.Container, p *field.Path) bool {
 			gotNames = append(gotNames, p.String())
 			return true
 		})

pkg/apis/core/pods/helpers_test.go

@@ -2897,8 +2897,36 @@ type PodSecurityContext struct {
 	// sysctls (by the container runtime) might fail to launch.
 	// +optional
 	Sysctls []Sysctl
+	// The seccomp options to use by the containers in this pod.
+	// +optional
+	SeccompProfile *SeccompProfile
 }
 
+// SeccompProfile defines a pod/container's seccomp profile settings.
+// Only one profile source may be set.
+// +union
+type SeccompProfile struct {
+	// +unionDiscriminator
+	Type SeccompProfileType
+	// Load a profile defined in static file on the node.
+	// The profile must be preconfigured on the node to work.
+	// LocalhostProfile cannot be an absolute nor a descending path.
+	// +optional
+	LocalhostProfile *string
+}
+
+// SeccompProfileType defines the supported seccomp profile types.
+type SeccompProfileType string
+
+const (
+	// SeccompProfileTypeUnconfined is when no seccomp profile is applied (A.K.A. unconfined).
+	SeccompProfileTypeUnconfined SeccompProfileType = "Unconfined"
+	// SeccompProfileTypeRuntimeDefault represents the default container runtime seccomp profile.
+	SeccompProfileTypeRuntimeDefault SeccompProfileType = "RuntimeDefault"
+	// SeccompProfileTypeLocalhost represents custom made profiles stored on the node's disk.
+	SeccompProfileTypeLocalhost SeccompProfileType = "Localhost"
+)
+
 // PodQOSClass defines the supported qos classes of Pods.
 type PodQOSClass string
 
@@ -5085,6 +5113,11 @@ type SecurityContext struct {
 	// readonly paths and masked paths.
 	// +optional
 	ProcMount *ProcMountType
+	// The seccomp options to use by this container. If seccomp options are
+	// provided at both the pod & container level, the container options
+	// override the pod options.
+	// +optional
+	SeccompProfile *SeccompProfile
 }
 
 // ProcMountType defines the type of proc mount

pkg/apis/core/types.go

@@ -69,6 +69,8 @@ go_test(
         "//staging/src/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
         "//staging/src/k8s.io/apiserver/pkg/util/feature:go_default_library",
         "//staging/src/k8s.io/component-base/featuregate/testing:go_default_library",
+        "//vendor/github.com/stretchr/testify/assert:go_default_library",
+        "//vendor/github.com/stretchr/testify/require:go_default_library",
         "//vendor/k8s.io/utils/pointer:go_default_library",
     ],
 )