github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #103941 from saschagrunert/seccomp-profile-root

Browse Source 
Remove deprecated `--seccomp-profile-root`/`seccompProfileRoot` config
This commit is contained in:
Kubernetes Prow Robot 2021-09-02 08:52:57 -07:00 committed by GitHub
commit 0b4a793da2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 37 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
cmd/kubelet/app/options/options.go
View File

@ -20,7 +20,6 @@ package options
import ( import (
"fmt" "fmt"
_ "net/http/pprof" // Enable pprof HTTP handlers. _ "net/http/pprof" // Enable pprof HTTP handlers.
"path/filepath"
"runtime" "runtime"
"strings" "strings"
@ -141,9 +140,6 @@ type KubeletFlags struct {
// This will cause the kubelet to listen to inotify events on the lock file, // This will cause the kubelet to listen to inotify events on the lock file,
// releasing it and exiting when another process tries to open that file. // releasing it and exiting when another process tries to open that file.
ExitOnLockContention bool ExitOnLockContention bool
// seccompProfileRoot is the directory path for seccomp profiles.
SeccompProfileRoot string
// DEPRECATED FLAGS // DEPRECATED FLAGS
// minimumGCAge is the minimum age for a finished container before it is // minimumGCAge is the minimum age for a finished container before it is
// garbage collected. // garbage collected.
@ -193,7 +189,6 @@ func NewKubeletFlags() *KubeletFlags {
RemoteRuntimeEndpoint: remoteRuntimeEndpoint, RemoteRuntimeEndpoint: remoteRuntimeEndpoint,
NodeLabels: make(map[string]string), NodeLabels: make(map[string]string),
RegisterNode: true, RegisterNode: true,
SeccompProfileRoot: filepath.Join(defaultRootDir, "seccomp"),
} }
} }
@ -375,8 +370,6 @@ func (f *KubeletFlags) AddFlags(mainfs *pflag.FlagSet) {
fs.MarkDeprecated("keep-terminated-pod-volumes", "will be removed in a future version") fs.MarkDeprecated("keep-terminated-pod-volumes", "will be removed in a future version")
fs.BoolVar(&f.ReallyCrashForTesting, "really-crash-for-testing", f.ReallyCrashForTesting, "If true, when panics occur crash. Intended for testing.") fs.BoolVar(&f.ReallyCrashForTesting, "really-crash-for-testing", f.ReallyCrashForTesting, "If true, when panics occur crash. Intended for testing.")
fs.MarkDeprecated("really-crash-for-testing", "will be removed in a future version.") fs.MarkDeprecated("really-crash-for-testing", "will be removed in a future version.")
fs.StringVar(&f.SeccompProfileRoot, "seccomp-profile-root", f.SeccompProfileRoot, "<Warning: Alpha feature> Directory path for seccomp profiles.")
fs.MarkDeprecated("seccomp-profile-root", "will be removed in 1.23, in favor of using the `<root-dir>/seccomp` directory")
fs.StringVar(&f.ExperimentalMounterPath, "experimental-mounter-path", f.ExperimentalMounterPath, "[Experimental] Path of mounter binary. Leave empty to use the default mount.") fs.StringVar(&f.ExperimentalMounterPath, "experimental-mounter-path", f.ExperimentalMounterPath, "[Experimental] Path of mounter binary. Leave empty to use the default mount.")
fs.MarkDeprecated("experimental-mounter-path", "will be removed in 1.23. in favor of using CSI.") fs.MarkDeprecated("experimental-mounter-path", "will be removed in 1.23. in favor of using CSI.")
fs.BoolVar(&f.ExperimentalCheckNodeCapabilitiesBeforeMount, "experimental-check-node-capabilities-before-mount", f.ExperimentalCheckNodeCapabilitiesBeforeMount, "[Experimental] if set true, the kubelet will check the underlying node for required components (binaries, etc.) before performing the mount") fs.BoolVar(&f.ExperimentalCheckNodeCapabilitiesBeforeMount, "experimental-check-node-capabilities-before-mount", f.ExperimentalCheckNodeCapabilitiesBeforeMount, "[Experimental] if set true, the kubelet will check the underlying node for required components (binaries, etc.) before performing the mount")

3
cmd/kubelet/app/server.go
View File

@ -1183,7 +1183,6 @@ func RunKubelet(kubeServer *options.KubeletServer, kubeDeps *kubelet.Dependencie
kubeServer.RegisterSchedulable, kubeServer.RegisterSchedulable,
kubeServer.KeepTerminatedPodVolumes, kubeServer.KeepTerminatedPodVolumes,
kubeServer.NodeLabels, kubeServer.NodeLabels,
kubeServer.SeccompProfileRoot,
kubeServer.NodeStatusMaxImages, kubeServer.NodeStatusMaxImages,
kubeServer.KubeletFlags.SeccompDefault || kubeServer.KubeletConfiguration.SeccompDefault, kubeServer.KubeletFlags.SeccompDefault || kubeServer.KubeletConfiguration.SeccompDefault,
) )
@ -1259,7 +1258,6 @@ func createAndInitKubelet(kubeCfg *kubeletconfiginternal.KubeletConfiguration,
registerSchedulable bool, registerSchedulable bool,
keepTerminatedPodVolumes bool, keepTerminatedPodVolumes bool,
nodeLabels map[string]string, nodeLabels map[string]string,
seccompProfileRoot string,
nodeStatusMaxImages int32, nodeStatusMaxImages int32,
seccompDefault bool, seccompDefault bool,
) (k kubelet.Bootstrap, err error) { ) (k kubelet.Bootstrap, err error) {
@ -1294,7 +1292,6 @@ func createAndInitKubelet(kubeCfg *kubeletconfiginternal.KubeletConfiguration,
registerSchedulable, registerSchedulable,
keepTerminatedPodVolumes, keepTerminatedPodVolumes,
nodeLabels, nodeLabels,
seccompProfileRoot,
nodeStatusMaxImages, nodeStatusMaxImages,
seccompDefault, seccompDefault,
) )

3
pkg/kubelet/kubelet.go
View File

@ -374,7 +374,6 @@ func NewMainKubelet(kubeCfg *kubeletconfiginternal.KubeletConfiguration,
registerSchedulable bool, registerSchedulable bool,
keepTerminatedPodVolumes bool, keepTerminatedPodVolumes bool,
nodeLabels map[string]string, nodeLabels map[string]string,
seccompProfileRoot string,
nodeStatusMaxImages int32, nodeStatusMaxImages int32,
seccompDefault bool, seccompDefault bool,
) (*Kubelet, error) { ) (*Kubelet, error) {
@ -665,7 +664,7 @@ func NewMainKubelet(kubeCfg *kubeletconfiginternal.KubeletConfiguration,
klet.livenessManager, klet.livenessManager,
klet.readinessManager, klet.readinessManager,
klet.startupManager, klet.startupManager,
seccompProfileRoot, rootDirectory,
machineInfo, machineInfo,
klet.podWorkers, klet.podWorkers,
kubeDeps.OSInterface, kubeDeps.OSInterface,

56
pkg/kubelet/kuberuntime/helpers_test.go
View File

@ -31,6 +31,14 @@ import (
utilpointer "k8s.io/utils/pointer" utilpointer "k8s.io/utils/pointer"
) )
func seccompLocalhostRef(profileName string) string {
return filepath.Join(fakeSeccompProfileRoot, profileName)
}
func seccompLocalhostPath(profileName string) string {
return "localhost/" + seccompLocalhostRef(profileName)
}
func TestStableKey(t *testing.T) { func TestStableKey(t *testing.T) {
container := &v1.Container{ container := &v1.Container{
Name: "test_container", Name: "test_container",
@ -353,7 +361,7 @@ func TestGetSeccompProfilePath(t *testing.T) {
annotation: map[string]string{ annotation: map[string]string{
v1.SeccompPodAnnotationKey: "localhost/chmod.json", v1.SeccompPodAnnotationKey: "localhost/chmod.json",
}, },
expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "chmod.json"), expectedProfile: seccompLocalhostPath("chmod.json"),
}, },
{ {
description: "annotations: pod localhost seccomp profile with containerName should return local profile path", description: "annotations: pod localhost seccomp profile with containerName should return local profile path",
@ -361,7 +369,7 @@ func TestGetSeccompProfilePath(t *testing.T) {
v1.SeccompPodAnnotationKey: "localhost/chmod.json", v1.SeccompPodAnnotationKey: "localhost/chmod.json",
}, },
containerName: "container1", containerName: "container1",
expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "chmod.json"), expectedProfile: seccompLocalhostPath("chmod.json"),
}, },
{ {
description: "annotations: container localhost seccomp profile with containerName should return local profile path", description: "annotations: container localhost seccomp profile with containerName should return local profile path",
@ -369,7 +377,7 @@ func TestGetSeccompProfilePath(t *testing.T) {
v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/chmod.json", v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/chmod.json",
}, },
containerName: "container1", containerName: "container1",
expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "chmod.json"), expectedProfile: seccompLocalhostPath("chmod.json"),
}, },
{ {
description: "annotations: container localhost seccomp profile should override pod profile", description: "annotations: container localhost seccomp profile should override pod profile",
@ -378,7 +386,7 @@ func TestGetSeccompProfilePath(t *testing.T) {
v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/chmod.json", v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/chmod.json",
}, },
containerName: "container1", containerName: "container1",
expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "chmod.json"), expectedProfile: seccompLocalhostPath("chmod.json"),
}, },
{ {
description: "annotations: container localhost seccomp profile with unmatched containerName should return empty", description: "annotations: container localhost seccomp profile with unmatched containerName should return empty",
@ -411,7 +419,7 @@ func TestGetSeccompProfilePath(t *testing.T) {
{ {
description: "pod seccomp profile set to SeccompProfileTypeLocalhost returns 'localhost/' + LocalhostProfile", description: "pod seccomp profile set to SeccompProfileTypeLocalhost returns 'localhost/' + LocalhostProfile",
podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost, LocalhostProfile: getLocal("filename")}}, podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost, LocalhostProfile: getLocal("filename")}},
expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "filename"), expectedProfile: seccompLocalhostPath("filename"),
}, },
{ {
description: "pod seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns empty", description: "pod seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns empty",
@ -426,7 +434,7 @@ func TestGetSeccompProfilePath(t *testing.T) {
{ {
description: "container seccomp profile set to SeccompProfileTypeLocalhost returns 'localhost/' + LocalhostProfile", description: "container seccomp profile set to SeccompProfileTypeLocalhost returns 'localhost/' + LocalhostProfile",
containerSc: &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost, LocalhostProfile: getLocal("filename2")}}, containerSc: &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost, LocalhostProfile: getLocal("filename2")}},
expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "filename2"), expectedProfile: seccompLocalhostPath("filename2"),
}, },
{ {
description: "prioritise container field over pod field", description: "prioritise container field over pod field",
@ -443,7 +451,7 @@ func TestGetSeccompProfilePath(t *testing.T) {
v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/annota-cont-profile.json", v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/annota-cont-profile.json",
}, },
containerName: "container1", containerName: "container1",
expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "field-cont-profile.json"), expectedProfile: seccompLocalhostPath("field-cont-profile.json"),
}, },
{ {
description: "prioritise container annotation over pod field", description: "prioritise container annotation over pod field",
@ -453,7 +461,7 @@ func TestGetSeccompProfilePath(t *testing.T) {
v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/annota-cont-profile.json", v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/annota-cont-profile.json",
}, },
containerName: "container1", containerName: "container1",
expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "annota-cont-profile.json"), expectedProfile: seccompLocalhostPath("annota-cont-profile.json"),
}, },
{ {
description: "prioritise pod field over pod annotation", description: "prioritise pod field over pod annotation",
@ -462,7 +470,7 @@ func TestGetSeccompProfilePath(t *testing.T) {
v1.SeccompPodAnnotationKey: "localhost/annota-pod-profile.json", v1.SeccompPodAnnotationKey: "localhost/annota-pod-profile.json",
}, },
containerName: "container1", containerName: "container1",
expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "field-pod-profile.json"), expectedProfile: seccompLocalhostPath("field-pod-profile.json"),
}, },
} }
@ -543,7 +551,7 @@ func TestGetSeccompProfilePathDefaultSeccomp(t *testing.T) {
annotation: map[string]string{ annotation: map[string]string{
v1.SeccompPodAnnotationKey: "localhost/chmod.json", v1.SeccompPodAnnotationKey: "localhost/chmod.json",
}, },
expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "chmod.json"), expectedProfile: seccompLocalhostPath("chmod.json"),
}, },
{ {
description: "annotations: pod localhost seccomp profile with containerName should return local profile path", description: "annotations: pod localhost seccomp profile with containerName should return local profile path",
@ -551,7 +559,7 @@ func TestGetSeccompProfilePathDefaultSeccomp(t *testing.T) {
v1.SeccompPodAnnotationKey: "localhost/chmod.json", v1.SeccompPodAnnotationKey: "localhost/chmod.json",
}, },
containerName: "container1", containerName: "container1",
expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "chmod.json"), expectedProfile: seccompLocalhostPath("chmod.json"),
}, },
{ {
description: "annotations: container localhost seccomp profile with containerName should return local profile path", description: "annotations: container localhost seccomp profile with containerName should return local profile path",
@ -559,7 +567,7 @@ func TestGetSeccompProfilePathDefaultSeccomp(t *testing.T) {
v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/chmod.json", v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/chmod.json",
}, },
containerName: "container1", containerName: "container1",
expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "chmod.json"), expectedProfile: seccompLocalhostPath("chmod.json"),
}, },
{ {
description: "annotations: container localhost seccomp profile should override pod profile", description: "annotations: container localhost seccomp profile should override pod profile",
@ -568,7 +576,7 @@ func TestGetSeccompProfilePathDefaultSeccomp(t *testing.T) {
v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/chmod.json", v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/chmod.json",
}, },
containerName: "container1", containerName: "container1",
expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "chmod.json"), expectedProfile: seccompLocalhostPath("chmod.json"),
}, },
{ {
description: "annotations: container localhost seccomp profile with unmatched containerName should return runtime/default", description: "annotations: container localhost seccomp profile with unmatched containerName should return runtime/default",
@ -601,7 +609,7 @@ func TestGetSeccompProfilePathDefaultSeccomp(t *testing.T) {
{ {
description: "pod seccomp profile set to SeccompProfileTypeLocalhost returns 'localhost/' + LocalhostProfile", description: "pod seccomp profile set to SeccompProfileTypeLocalhost returns 'localhost/' + LocalhostProfile",
podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost, LocalhostProfile: getLocal("filename")}}, podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost, LocalhostProfile: getLocal("filename")}},
expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "filename"), expectedProfile: seccompLocalhostPath("filename"),
}, },
{ {
description: "pod seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns runtime/default", description: "pod seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns runtime/default",
@ -616,7 +624,7 @@ func TestGetSeccompProfilePathDefaultSeccomp(t *testing.T) {
{ {
description: "container seccomp profile set to SeccompProfileTypeLocalhost returns 'localhost/' + LocalhostProfile", description: "container seccomp profile set to SeccompProfileTypeLocalhost returns 'localhost/' + LocalhostProfile",
containerSc: &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost, LocalhostProfile: getLocal("filename2")}}, containerSc: &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost, LocalhostProfile: getLocal("filename2")}},
expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "filename2"), expectedProfile: seccompLocalhostPath("filename2"),
}, },
{ {
description: "prioritise container field over pod field", description: "prioritise container field over pod field",
@ -633,7 +641,7 @@ func TestGetSeccompProfilePathDefaultSeccomp(t *testing.T) {
v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/annota-cont-profile.json", v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/annota-cont-profile.json",
}, },
containerName: "container1", containerName: "container1",
expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "field-cont-profile.json"), expectedProfile: seccompLocalhostPath("field-cont-profile.json"),
}, },
{ {
description: "prioritise container annotation over pod field", description: "prioritise container annotation over pod field",
@ -643,7 +651,7 @@ func TestGetSeccompProfilePathDefaultSeccomp(t *testing.T) {
v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/annota-cont-profile.json", v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/annota-cont-profile.json",
}, },
containerName: "container1", containerName: "container1",
expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "annota-cont-profile.json"), expectedProfile: seccompLocalhostPath("annota-cont-profile.json"),
}, },
{ {
description: "prioritise pod field over pod annotation", description: "prioritise pod field over pod annotation",
@ -652,7 +660,7 @@ func TestGetSeccompProfilePathDefaultSeccomp(t *testing.T) {
v1.SeccompPodAnnotationKey: "localhost/annota-pod-profile.json", v1.SeccompPodAnnotationKey: "localhost/annota-pod-profile.json",
}, },
containerName: "container1", containerName: "container1",
expectedProfile: "localhost/" + filepath.Join(fakeSeccompProfileRoot, "field-pod-profile.json"), expectedProfile: seccompLocalhostPath("field-pod-profile.json"),
}, },
} }
@ -711,7 +719,7 @@ func TestGetSeccompProfile(t *testing.T) {
podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost, LocalhostProfile: getLocal("filename")}}, podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost, LocalhostProfile: getLocal("filename")}},
expectedProfile: &runtimeapi.SecurityProfile{ expectedProfile: &runtimeapi.SecurityProfile{
ProfileType: runtimeapi.SecurityProfile_Localhost, ProfileType: runtimeapi.SecurityProfile_Localhost,
LocalhostRef: filepath.Join(fakeSeccompProfileRoot, "filename"), LocalhostRef: seccompLocalhostRef("filename"),
}, },
}, },
{ {
@ -729,7 +737,7 @@ func TestGetSeccompProfile(t *testing.T) {
containerSc: &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost, LocalhostProfile: getLocal("filename2")}}, containerSc: &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost, LocalhostProfile: getLocal("filename2")}},
expectedProfile: &runtimeapi.SecurityProfile{ expectedProfile: &runtimeapi.SecurityProfile{
ProfileType: runtimeapi.SecurityProfile_Localhost, ProfileType: runtimeapi.SecurityProfile_Localhost,
LocalhostRef: filepath.Join(fakeSeccompProfileRoot, "filename2"), LocalhostRef: seccompLocalhostRef("filename2"),
}, },
}, },
{ {
@ -745,7 +753,7 @@ func TestGetSeccompProfile(t *testing.T) {
containerName: "container1", containerName: "container1",
expectedProfile: &runtimeapi.SecurityProfile{ expectedProfile: &runtimeapi.SecurityProfile{
ProfileType: runtimeapi.SecurityProfile_Localhost, ProfileType: runtimeapi.SecurityProfile_Localhost,
LocalhostRef: filepath.Join(fakeSeccompProfileRoot, "field-cont-profile.json"), LocalhostRef: seccompLocalhostRef("field-cont-profile.json"),
}, },
}, },
} }
@ -805,7 +813,7 @@ func TestGetSeccompProfileDefaultSeccomp(t *testing.T) {
podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost, LocalhostProfile: getLocal("filename")}}, podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost, LocalhostProfile: getLocal("filename")}},
expectedProfile: &runtimeapi.SecurityProfile{ expectedProfile: &runtimeapi.SecurityProfile{
ProfileType: runtimeapi.SecurityProfile_Localhost, ProfileType: runtimeapi.SecurityProfile_Localhost,
LocalhostRef: filepath.Join(fakeSeccompProfileRoot, "filename"), LocalhostRef: seccompLocalhostRef("filename"),
}, },
}, },
{ {
@ -823,7 +831,7 @@ func TestGetSeccompProfileDefaultSeccomp(t *testing.T) {
containerSc: &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost, LocalhostProfile: getLocal("filename2")}}, containerSc: &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost, LocalhostProfile: getLocal("filename2")}},
expectedProfile: &runtimeapi.SecurityProfile{ expectedProfile: &runtimeapi.SecurityProfile{
ProfileType: runtimeapi.SecurityProfile_Localhost, ProfileType: runtimeapi.SecurityProfile_Localhost,
LocalhostRef: filepath.Join(fakeSeccompProfileRoot, "filename2"), LocalhostRef: seccompLocalhostRef("filename2"),
}, },
}, },
{ {
@ -839,7 +847,7 @@ func TestGetSeccompProfileDefaultSeccomp(t *testing.T) {
containerName: "container1", containerName: "container1",
expectedProfile: &runtimeapi.SecurityProfile{ expectedProfile: &runtimeapi.SecurityProfile{
ProfileType: runtimeapi.SecurityProfile_Localhost, ProfileType: runtimeapi.SecurityProfile_Localhost,
LocalhostRef: filepath.Join(fakeSeccompProfileRoot, "field-cont-profile.json"), LocalhostRef: seccompLocalhostRef("field-cont-profile.json"),
}, },
}, },
} }

5
pkg/kubelet/kuberuntime/kuberuntime_manager.go
View File

@ -20,6 +20,7 @@ import (
"errors" "errors"
"fmt" "fmt"
"os" "os"
"path/filepath"
goruntime "runtime" goruntime "runtime"
"time" "time"
@ -177,7 +178,7 @@ func NewKubeGenericRuntimeManager(
livenessManager proberesults.Manager, livenessManager proberesults.Manager,
readinessManager proberesults.Manager, readinessManager proberesults.Manager,
startupManager proberesults.Manager, startupManager proberesults.Manager,
seccompProfileRoot string, rootDirectory string,
machineInfo *cadvisorapi.MachineInfo, machineInfo *cadvisorapi.MachineInfo,
podStateProvider podStateProvider, podStateProvider podStateProvider,
osInterface kubecontainer.OSInterface, osInterface kubecontainer.OSInterface,
@ -206,7 +207,7 @@ func NewKubeGenericRuntimeManager(
recorder: recorder, recorder: recorder,
cpuCFSQuota: cpuCFSQuota, cpuCFSQuota: cpuCFSQuota,
cpuCFSQuotaPeriod: cpuCFSQuotaPeriod, cpuCFSQuotaPeriod: cpuCFSQuotaPeriod,
seccompProfileRoot: seccompProfileRoot, seccompProfileRoot: filepath.Join(rootDirectory, "seccomp"),
livenessManager: livenessManager, livenessManager: livenessManager,
readinessManager: readinessManager, readinessManager: readinessManager,
startupManager: startupManager, startupManager: startupManager,

3
staging/src/k8s.io/api/core/v1/types.go
View File

@ -3384,8 +3384,7 @@ const (
// SeccompProfileTypeRuntimeDefault represents the default container runtime seccomp profile. // SeccompProfileTypeRuntimeDefault represents the default container runtime seccomp profile.
SeccompProfileTypeRuntimeDefault SeccompProfileType = "RuntimeDefault" SeccompProfileTypeRuntimeDefault SeccompProfileType = "RuntimeDefault"
// SeccompProfileTypeLocalhost indicates a profile defined in a file on the node should be used. // SeccompProfileTypeLocalhost indicates a profile defined in a file on the node should be used.
// The file's location is based off the kubelet's deprecated flag --seccomp-profile-root. // The file's location relative to <kubelet-root-dir>/seccomp.
// Once the flag support is removed the location will be <kubelet-root-dir>/seccomp.
SeccompProfileTypeLocalhost SeccompProfileType = "Localhost" SeccompProfileTypeLocalhost SeccompProfileType = "Localhost"
) )