Partly remove support for seccomp annotations
We now partly drop the support for seccomp annotations which is planned for v1.25 as part of the KEP: https://github.com/kubernetes/enhancements/issues/135 Pod security policies are not touched by this change and therefore we have to keep the annotation key constants. This means we only allow the usage of the annotations for backwards compatibility reasons while the synchronization of the field to annotation is no longer supported. Using the annotations for static pods is also not supported any more. Making the annotations fully non-functional will be deferred to a future release. Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
This commit is contained in:
@@ -777,36 +777,6 @@ func SeccompAnnotationForField(field *api.SeccompProfile) string {
|
||||
return ""
|
||||
}
|
||||
|
||||
// SeccompFieldForAnnotation takes a pod annotation and returns the converted
|
||||
// seccomp profile field.
|
||||
func SeccompFieldForAnnotation(annotation string) *api.SeccompProfile {
|
||||
// If only seccomp annotations are specified, copy the values into the
|
||||
// corresponding fields. This ensures that existing applications continue
|
||||
// to enforce seccomp, and prevents the kubelet from needing to resolve
|
||||
// annotations & fields.
|
||||
if annotation == v1.SeccompProfileNameUnconfined {
|
||||
return &api.SeccompProfile{Type: api.SeccompProfileTypeUnconfined}
|
||||
}
|
||||
|
||||
if annotation == api.SeccompProfileRuntimeDefault || annotation == api.DeprecatedSeccompProfileDockerDefault {
|
||||
return &api.SeccompProfile{Type: api.SeccompProfileTypeRuntimeDefault}
|
||||
}
|
||||
|
||||
if strings.HasPrefix(annotation, v1.SeccompLocalhostProfileNamePrefix) {
|
||||
localhostProfile := strings.TrimPrefix(annotation, v1.SeccompLocalhostProfileNamePrefix)
|
||||
if localhostProfile != "" {
|
||||
return &api.SeccompProfile{
|
||||
Type: api.SeccompProfileTypeLocalhost,
|
||||
LocalhostProfile: &localhostProfile,
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// we can only reach this code path if the localhostProfile name has a zero
|
||||
// length or if the annotation has an unrecognized value
|
||||
return nil
|
||||
}
|
||||
|
||||
// setsWindowsHostProcess returns true if WindowsOptions.HostProcess is set (true or false)
|
||||
// anywhere in the pod spec.
|
||||
func setsWindowsHostProcess(podSpec *api.PodSpec) bool {
|
||||
|
@@ -240,7 +240,7 @@ func warningsForPodSpecAndMeta(fieldPath *field.Path, podSpec *api.PodSpec, meta
|
||||
// use of pod seccomp annotation without accompanying field
|
||||
if podSpec.SecurityContext == nil || podSpec.SecurityContext.SeccompProfile == nil {
|
||||
if _, exists := meta.Annotations[api.SeccompPodAnnotationKey]; exists {
|
||||
warnings = append(warnings, fmt.Sprintf(`%s: deprecated since v1.19, non-functional in v1.25+; use the "seccompProfile" field instead`, fieldPath.Child("metadata", "annotations").Key(api.SeccompPodAnnotationKey)))
|
||||
warnings = append(warnings, fmt.Sprintf(`%s: deprecated since v1.19, non-functional in a future release; use the "seccompProfile" field instead`, fieldPath.Child("metadata", "annotations").Key(api.SeccompPodAnnotationKey)))
|
||||
}
|
||||
}
|
||||
|
||||
@@ -248,7 +248,7 @@ func warningsForPodSpecAndMeta(fieldPath *field.Path, podSpec *api.PodSpec, meta
|
||||
// use of container seccomp annotation without accompanying field
|
||||
if c.SecurityContext == nil || c.SecurityContext.SeccompProfile == nil {
|
||||
if _, exists := meta.Annotations[api.SeccompContainerAnnotationKeyPrefix+c.Name]; exists {
|
||||
warnings = append(warnings, fmt.Sprintf(`%s: deprecated since v1.19, non-functional in v1.25+; use the "seccompProfile" field instead`, fieldPath.Child("metadata", "annotations").Key(api.SeccompContainerAnnotationKeyPrefix+c.Name)))
|
||||
warnings = append(warnings, fmt.Sprintf(`%s: deprecated since v1.19, non-functional in a future release; use the "seccompProfile" field instead`, fieldPath.Child("metadata", "annotations").Key(api.SeccompContainerAnnotationKeyPrefix+c.Name)))
|
||||
}
|
||||
}
|
||||
|
||||
|
@@ -432,8 +432,8 @@ func TestWarnings(t *testing.T) {
|
||||
},
|
||||
expected: []string{
|
||||
`metadata.annotations[scheduler.alpha.kubernetes.io/critical-pod]: non-functional in v1.16+; use the "priorityClassName" field instead`,
|
||||
`metadata.annotations[seccomp.security.alpha.kubernetes.io/pod]: deprecated since v1.19, non-functional in v1.25+; use the "seccompProfile" field instead`,
|
||||
`metadata.annotations[container.seccomp.security.alpha.kubernetes.io/foo]: deprecated since v1.19, non-functional in v1.25+; use the "seccompProfile" field instead`,
|
||||
`metadata.annotations[seccomp.security.alpha.kubernetes.io/pod]: deprecated since v1.19, non-functional in a future release; use the "seccompProfile" field instead`,
|
||||
`metadata.annotations[container.seccomp.security.alpha.kubernetes.io/foo]: deprecated since v1.19, non-functional in a future release; use the "seccompProfile" field instead`,
|
||||
`metadata.annotations[security.alpha.kubernetes.io/sysctls]: non-functional in v1.11+; use the "sysctls" field instead`,
|
||||
`metadata.annotations[security.alpha.kubernetes.io/unsafe-sysctls]: non-functional in v1.11+; use the "sysctls" field instead`,
|
||||
},
|
||||
|
Reference in New Issue
Block a user