Add config flag to default empty seccomp profile

This changes adds `default_seccomp_profile` config switch to apply default seccomp profile when not provided by k8s.a

Signed-off-by: Maksym Pavlenko <pavlenko.maksym@gmail.com>

pkg/config/config.go

@@ -225,6 +225,8 @@ type PluginConfig struct {
 	// DisableProcMount disables Kubernetes ProcMount support. This MUST be set to `true`
 	// when using containerd with Kubernetes <=1.11.
 	DisableProcMount bool `toml:"disable_proc_mount" json:"disableProcMount"`
+	// DefaultSeccompProfile is a seccomp profile to use if not provided by k8s.
+	DefaultSeccompProfile string `toml:"default_seccomp_profile" json:"defaultSeccompProfile"`
 }
 
 // X509KeyPairStreaming contains the x509 configuration for streaming

pkg/server/container_create_unix.go

@@ -286,7 +286,7 @@ func (c *criService) containerSpecOpts(config *runtime.ContainerConfig, imageCon
 		specOpts = append(specOpts, apparmorSpecOpts)
 	}
 
-	seccompSpecOpts, err := generateSeccompSpecOpts(
+	seccompSpecOpts, err := c.generateSeccompSpecOpts(
 		securityContext.GetSeccompProfilePath(),
 		securityContext.GetPrivileged(),
 		c.seccompEnabled())
@@ -300,11 +300,14 @@ func (c *criService) containerSpecOpts(config *runtime.ContainerConfig, imageCon
 }
 
 // generateSeccompSpecOpts generates containerd SpecOpts for seccomp.
-func generateSeccompSpecOpts(seccompProf string, privileged, seccompEnabled bool) (oci.SpecOpts, error) {
+func (c *criService) generateSeccompSpecOpts(seccompProf string, privileged, seccompEnabled bool) (oci.SpecOpts, error) {
 	if privileged {
 		// Do not set seccomp profile when container is privileged
 		return nil, nil
 	}
+	if seccompProf == "" {
+		seccompProf = c.config.DefaultSeccompProfile
+	}
 	// Set seccomp profile
 	if seccompProf == runtimeDefault || seccompProf == dockerDefault {
 		// use correct default profile (Eg. if not configured otherwise, the default is docker/default)

pkg/server/container_create_unix_test.go

@@ -20,6 +20,7 @@ package server
 
 import (
 	"context"
+	"fmt"
 	"os"
 	"path/filepath"
 	"reflect"
@@ -784,6 +785,7 @@ func TestGenerateSeccompSpecOpts(t *testing.T) {
 		disable        bool
 		specOpts       oci.SpecOpts
 		expectErr      bool
+		defaultProfile string
 	}{
 		"should return error if seccomp is specified when seccomp is not supported": {
 			profile:   runtimeDefault,
@@ -824,9 +826,19 @@ func TestGenerateSeccompSpecOpts(t *testing.T) {
 			profile:   "test-profile",
 			expectErr: true,
 		},
+		"should use default profile when seccomp is empty": {
+			defaultProfile: profileNamePrefix + "test-profile",
+			specOpts:       seccomp.WithProfile("test-profile"),
+		},
+		"should fallback to docker/default when seccomp is empty and default is runtime/default": {
+			defaultProfile: runtimeDefault,
+			specOpts:       seccomp.WithDefaultProfile(),
+		},
 	} {
-		t.Logf("TestCase %q", desc)
-		specOpts, err := generateSeccompSpecOpts(test.profile, test.privileged, !test.disable)
+		t.Run(fmt.Sprintf("TestCase %q", desc), func(t *testing.T) {
+			cri := &criService{}
+			cri.config.DefaultSeccompProfile = test.defaultProfile
+			specOpts, err := cri.generateSeccompSpecOpts(test.profile, test.privileged, !test.disable)
 			assert.Equal(t,
 				reflect.ValueOf(test.specOpts).Pointer(),
 				reflect.ValueOf(specOpts).Pointer())
@@ -835,6 +847,7 @@ func TestGenerateSeccompSpecOpts(t *testing.T) {
 			} else {
 				assert.NoError(t, err)
 			}
+		})
 	}
 }
 

pkg/server/sandbox_run_unix.go

@@ -161,7 +161,7 @@ func (c *criService) sandboxContainerSpecOpts(config *runtime.PodSandboxConfig,
 		securityContext = config.GetLinux().GetSecurityContext()
 		specOpts        []oci.SpecOpts
 	)
-	seccompSpecOpts, err := generateSeccompSpecOpts(
+	seccompSpecOpts, err := c.generateSeccompSpecOpts(
 		securityContext.GetSeccompProfilePath(),
 		securityContext.GetPrivileged(),
 		c.seccompEnabled())