The feature gate gets locked to "true", with the goal to remove it in two
releases.
All code now can assume that the feature is enabled. Tests for "feature
disabled" are no longer needed and get removed.
Some code wasn't using the new helper functions yet. That gets changed while
touching those lines.
* Change uses of whitelist to allowlist in kubelet sysctl
* Rename whitelist files to allowlist in Kubelet sysctl
* Further renames of whitelist to allowlist in Kubelet
* Rename podsecuritypolicy uses of whitelist to allowlist
* Update pkg/kubelet/kubelet.go
Co-authored-by: Danielle <dani@builds.terrible.systems>
Co-authored-by: Danielle <dani@builds.terrible.systems>
In general it could be possible that init containers deploy security
profiles. The existing AppArmor pre-validation would block the complete
workload without this patch being applied. If we now schedule a
workload which contains an unconfined init container, then we will skip
the validation. The underlying container runtime will fail if the
profile is not available after the execution of the init container.
This synchronizes the overall behavior with seccomp.
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
When introducing the new "generic" volume type for generic ephemeral
inline volumes, the storage policy for PodSecurityPolicy objects
should have been extended so that this new type is valid only
if the generic ephemeral volume feature is enabled or an
existing object already has it.
Adding the new type to the internal API was also missed.
The `apparmor_parser` binary is not really required for a system to run
AppArmor from a Kubernetes perspective. How to apply the profile is more
in the responsibility of lower level runtimes like CRI-O and containerd,
which may do the binary check on their own.
This synchronizes the current libcontainer implementation with the
vendored Kubernetes source code and allows distributions to use
AppArmor, even when they do not have the parser available in
`/sbin/apparmor_parser`.
Signed-off-by: Sascha Grunert <mail@saschagrunert.de>
With the graduation of seccomp to GA we automatically convert the
deprecated seccomp profile annotation `docker/default` to
`runtime/default`. This means that we now have to automatically allow
`runtime/default` if a user specifies `docker/default` and vice versa in
an allowed PSP seccomp profile.
Signed-off-by: Sascha Grunert <sgrunert@suse.com>
sysctl value `net.ipv4.ping_group_range` can be used for allowing `ping`
command without `CAP_NET_RAW` capability.
e.g. `net.ipv4.ping_group_range="0 42"` to allow ping for users with
GID 0-GID 42.
This sysctl value was introduced in kernel 3.0 and has been namespaced
since its birth.
c319b4d76b (diff-5b536a7a92abed603bbb4caa61613270R57)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
