Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support spec.securityContext.seccompProfile #195

Closed
mac-chaffee opened this issue May 14, 2022 · 3 comments · May be fixed by #599
Closed

Support spec.securityContext.seccompProfile #195

mac-chaffee opened this issue May 14, 2022 · 3 comments · May be fixed by #599
Labels
stale

Comments

@mac-chaffee
Copy link
Contributor

mac-chaffee commented May 14, 2022
edited
Loading

In Kubernetes v1.19, seccomp graduated to GA which meant the seccomp annotations (seccomp.security.alpha.kubernetes.io/pod: runtime/default) were deprecated:

W0514 13:03:16.997735   41392 warnings.go:70] spec.template.metadata.annotations[container.seccomp.security.alpha.kubernetes.io/manager]: 
deprecated since v1.19; use the "seccompProfile" field instead

The "k8spspseccomp" mutating constraint should probably be updated to check both the annotation and the new field, at least until v1.25 comes out: https://github.com/open-policy-agent/gatekeeper-library/blob/259ad1bdd8945d6df451d3fc2867109d76b854e2/mutation/pod-security-policy/seccomp/samples/mutation.yaml

This issue and #188 makes me think we might need to a mechanism for creating constraints that do different things depending on the k8s version.
@mac-chaffee
Copy link
Contributor Author

Oh it already checks the securityContext, nvm:

gatekeeper-library/library/pod-security-policy/seccomp/template.yaml

Line 208 in 259ad1b

# Container profile as defined in pods securityContext

@mac-chaffee
Copy link
Contributor Author

The mutating part does need to be updated still: https://github.com/open-policy-agent/gatekeeper-library/blob/259ad1bdd8945d6df451d3fc2867109d76b854e2/mutation/pod-security-policy/seccomp/samples/mutation.yaml

@mac-chaffee mac-chaffee reopened this May 14, 2022
@stale
Copy link

stale bot commented Jan 31, 2023

This issue/PR has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Jan 31, 2023
@stale stale bot closed this as completed Feb 15, 2023
@sathieu sathieu mentioned this issue Sep 19, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
stale
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: use newer seccompProfile spec in mutation sathieu/gatekeeper-library
1 participant
@mac-chaffee