dapr
/
docs
mirror of https://github.com/dapr/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

adding explanation on how to configure seccompprofile 

Signed-off-by: Jaydip Gabani <gabanijaydip@gmail.com>
This commit is contained in:
Jaydip Gabani 2023-03-08 22:42:58 +00:00
parent 37fdfc372e
commit 5c74c89884
2 changed files with 7 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
daprdocs/content/en/operations/hosting/kubernetes/kubernetes-production.md
View File

@ -236,6 +236,12 @@ The injector watchdog is disabled by default when running Dapr in Kubernetes mod
Refer to the documentation for the [Dapr operator]({{< ref operator >}}) service for more details on the injector watchdog and how to enable it.
## Configuring seccompProfile for sidecar containers
By default, Dapr sidecar injector injects a sidecar without any `seccompProfile`. However, to have Dapr sidecar contianer run successfully in a namespace with [Restricted](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted) profile, sidecar container needs to have `securityContext.seccompProfile.Type` to not be `nil`.
Refer to [this]({{< ref "arguments-annotations-overview.md" >}}) documentation to set appropriate `seccompProfile` on sidecar container accordingly to which profile it would be running with.
## Best Practices
Watch this video for a deep dive into the best practices for running Dapr in production with Kubernetes

2
daprdocs/content/en/reference/arguments-annotations-overview.md
View File

@ -66,4 +66,4 @@ This table is meant to help users understand the equivalent options for running
| not supported | not supported | | `dapr.io/volume-mounts` | List of pod volumes to be mounted to the sidecar container in read-only mode. Strings consisting of `volume:path` pairs separated by a comma. Example, `"volume-1:/tmp/mount1,volume-2:/home/root/mount2"`. |
| not supported | not supported | | `dapr.io/volume-mounts-rw` | List of pod volumes to be mounted to the sidecar container in read-write mode. Strings consisting of `volume:path` pairs separated by a comma. Example, `"volume-1:/tmp/mount1,volume-2:/home/root/mount2"`. |
| `--disable-builtin-k8s-secret-store` | not supported | | `dapr.io/disable-builtin-k8s-secret-store` | Disables BuiltIn Kubernetes secret store. Default value is false. See [Kubernetes secret store component]({{<ref "kubernetes-secret-store.md">}}) for details. |
| not supported | not supported | | `dapr.io/sidecar-seccomp-profile-type` | Set sidecar container's `securityContext.seccompProfile.type` to `Unconfined`, `RuntimeDefault`, or `Localhost`. By default, the field will be ommited from sidecar container. |
| not supported | not supported | | `dapr.io/sidecar-seccomp-profile-type` | Set sidecar container's `securityContext.seccompProfile.type` to `Unconfined`, `RuntimeDefault`, or `Localhost`. By default, this annotation is not set on the Dapr sidecar, hence the filed will be omitted from sidecar container. |