From 37fdfc372e133e3af4f1b9a1b7208313a30e98c9 Mon Sep 17 00:00:00 2001
From: Jaydip Gabani <gabanijaydip@gmail.com>
Date: Tue, 28 Feb 2023 20:18:11 +0000
Subject: [PATCH 1/5] adding annotation information to set sidecar container's
 seccompprofiletype

Signed-off-by: Jaydip Gabani <gabanijaydip@gmail.com>
---
 daprdocs/content/en/reference/arguments-annotations-overview.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/daprdocs/content/en/reference/arguments-annotations-overview.md b/daprdocs/content/en/reference/arguments-annotations-overview.md
index 5af0a4ed4..2b9e31c71 100644
--- a/daprdocs/content/en/reference/arguments-annotations-overview.md
+++ b/daprdocs/content/en/reference/arguments-annotations-overview.md
@@ -66,3 +66,4 @@ This table is meant to help users understand the equivalent options for running
 | not supported | not supported | | `dapr.io/volume-mounts` | List of pod volumes to be mounted to the sidecar container in read-only mode. Strings consisting of `volume:path` pairs separated by a comma. Example, `"volume-1:/tmp/mount1,volume-2:/home/root/mount2"`. |
 | not supported | not supported | | `dapr.io/volume-mounts-rw` | List of pod volumes to be mounted to the sidecar container in read-write mode. Strings consisting of `volume:path` pairs separated by a comma. Example, `"volume-1:/tmp/mount1,volume-2:/home/root/mount2"`. |
 | `--disable-builtin-k8s-secret-store` | not supported | | `dapr.io/disable-builtin-k8s-secret-store` | Disables BuiltIn Kubernetes secret store. Default value is false. See [Kubernetes secret store component]({{<ref "kubernetes-secret-store.md">}}) for details. |
+| not supported | not supported | | `dapr.io/sidecar-seccomp-profile-type` | Set sidecar container's `securityContext.seccompProfile.type` to `Unconfined`, `RuntimeDefault`, or `Localhost`. By default, the field will be ommited from sidecar container. |

From 5c74c8988484e2e4a48a5a152c5dc4cb74006958 Mon Sep 17 00:00:00 2001
From: Jaydip Gabani <gabanijaydip@gmail.com>
Date: Wed, 8 Mar 2023 22:42:58 +0000
Subject: [PATCH 2/5] adding explanation on how to configure seccompprofile

Signed-off-by: Jaydip Gabani <gabanijaydip@gmail.com>
---
 .../operations/hosting/kubernetes/kubernetes-production.md  | 6 ++++++
 .../content/en/reference/arguments-annotations-overview.md  | 2 +-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/daprdocs/content/en/operations/hosting/kubernetes/kubernetes-production.md b/daprdocs/content/en/operations/hosting/kubernetes/kubernetes-production.md
index fa62602be..7a5d74fdb 100644
--- a/daprdocs/content/en/operations/hosting/kubernetes/kubernetes-production.md
+++ b/daprdocs/content/en/operations/hosting/kubernetes/kubernetes-production.md
@@ -236,6 +236,12 @@ The injector watchdog is disabled by default when running Dapr in Kubernetes mod
 
 Refer to the documentation for the [Dapr operator]({{< ref operator >}}) service for more details on the injector watchdog and how to enable it.
 
+## Configuring seccompProfile for sidecar containers
+
+By default, Dapr sidecar injector injects a sidecar without any `seccompProfile`. However, to have Dapr sidecar contianer run successfully in a namespace with [Restricted](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted) profile, sidecar container needs to have `securityContext.seccompProfile.Type` to not be `nil`. 
+
+Refer to [this]({{< ref "arguments-annotations-overview.md" >}}) documentation to set appropriate `seccompProfile` on sidecar container accordingly to which profile it would be running with.
+
 ## Best Practices 
 
 Watch this video for a deep dive into the best practices for running Dapr in production with Kubernetes
diff --git a/daprdocs/content/en/reference/arguments-annotations-overview.md b/daprdocs/content/en/reference/arguments-annotations-overview.md
index 2b9e31c71..ff0149e3b 100644
--- a/daprdocs/content/en/reference/arguments-annotations-overview.md
+++ b/daprdocs/content/en/reference/arguments-annotations-overview.md
@@ -66,4 +66,4 @@ This table is meant to help users understand the equivalent options for running
 | not supported | not supported | | `dapr.io/volume-mounts` | List of pod volumes to be mounted to the sidecar container in read-only mode. Strings consisting of `volume:path` pairs separated by a comma. Example, `"volume-1:/tmp/mount1,volume-2:/home/root/mount2"`. |
 | not supported | not supported | | `dapr.io/volume-mounts-rw` | List of pod volumes to be mounted to the sidecar container in read-write mode. Strings consisting of `volume:path` pairs separated by a comma. Example, `"volume-1:/tmp/mount1,volume-2:/home/root/mount2"`. |
 | `--disable-builtin-k8s-secret-store` | not supported | | `dapr.io/disable-builtin-k8s-secret-store` | Disables BuiltIn Kubernetes secret store. Default value is false. See [Kubernetes secret store component]({{<ref "kubernetes-secret-store.md">}}) for details. |
-| not supported | not supported | | `dapr.io/sidecar-seccomp-profile-type` | Set sidecar container's `securityContext.seccompProfile.type` to `Unconfined`, `RuntimeDefault`, or `Localhost`. By default, the field will be ommited from sidecar container. |
+| not supported | not supported | | `dapr.io/sidecar-seccomp-profile-type` | Set sidecar container's `securityContext.seccompProfile.type` to `Unconfined`, `RuntimeDefault`, or `Localhost`. By default, this annotation is not set on the Dapr sidecar, hence the filed will be omitted from sidecar container. |

From b0c78112aaced41a9a1dd061aceffb742707b7d6 Mon Sep 17 00:00:00 2001
From: Mark Fussell <markfussell@gmail.com>
Date: Wed, 29 Mar 2023 13:41:39 -0700
Subject: [PATCH 3/5] Update
 daprdocs/content/en/reference/arguments-annotations-overview.md

Signed-off-by: Mark Fussell <markfussell@gmail.com>
---
 daprdocs/content/en/reference/arguments-annotations-overview.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/daprdocs/content/en/reference/arguments-annotations-overview.md b/daprdocs/content/en/reference/arguments-annotations-overview.md
index ff0149e3b..d1553e67e 100644
--- a/daprdocs/content/en/reference/arguments-annotations-overview.md
+++ b/daprdocs/content/en/reference/arguments-annotations-overview.md
@@ -66,4 +66,4 @@ This table is meant to help users understand the equivalent options for running
 | not supported | not supported | | `dapr.io/volume-mounts` | List of pod volumes to be mounted to the sidecar container in read-only mode. Strings consisting of `volume:path` pairs separated by a comma. Example, `"volume-1:/tmp/mount1,volume-2:/home/root/mount2"`. |
 | not supported | not supported | | `dapr.io/volume-mounts-rw` | List of pod volumes to be mounted to the sidecar container in read-write mode. Strings consisting of `volume:path` pairs separated by a comma. Example, `"volume-1:/tmp/mount1,volume-2:/home/root/mount2"`. |
 | `--disable-builtin-k8s-secret-store` | not supported | | `dapr.io/disable-builtin-k8s-secret-store` | Disables BuiltIn Kubernetes secret store. Default value is false. See [Kubernetes secret store component]({{<ref "kubernetes-secret-store.md">}}) for details. |
-| not supported | not supported | | `dapr.io/sidecar-seccomp-profile-type` | Set sidecar container's `securityContext.seccompProfile.type` to `Unconfined`, `RuntimeDefault`, or `Localhost`. By default, this annotation is not set on the Dapr sidecar, hence the filed will be omitted from sidecar container. |
+| not supported | not supported | | `dapr.io/sidecar-seccomp-profile-type` | Set the sidecar container's `securityContext.seccompProfile.type` to `Unconfined`, `RuntimeDefault`, or `Localhost`. By default, this annotation is not set on the Dapr sidecar, hence the field is omitted from sidecar container. |

From 125f77b424f4ade3be13267f7e560b75da910131 Mon Sep 17 00:00:00 2001
From: Mark Fussell <markfussell@gmail.com>
Date: Wed, 29 Mar 2023 13:41:49 -0700
Subject: [PATCH 4/5] Update
 daprdocs/content/en/operations/hosting/kubernetes/kubernetes-production.md

Signed-off-by: Mark Fussell <markfussell@gmail.com>
---
 .../en/operations/hosting/kubernetes/kubernetes-production.md   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/daprdocs/content/en/operations/hosting/kubernetes/kubernetes-production.md b/daprdocs/content/en/operations/hosting/kubernetes/kubernetes-production.md
index 7a5d74fdb..641b25042 100644
--- a/daprdocs/content/en/operations/hosting/kubernetes/kubernetes-production.md
+++ b/daprdocs/content/en/operations/hosting/kubernetes/kubernetes-production.md
@@ -238,7 +238,7 @@ Refer to the documentation for the [Dapr operator]({{< ref operator >}}) service
 
 ## Configuring seccompProfile for sidecar containers
 
-By default, Dapr sidecar injector injects a sidecar without any `seccompProfile`. However, to have Dapr sidecar contianer run successfully in a namespace with [Restricted](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted) profile, sidecar container needs to have `securityContext.seccompProfile.Type` to not be `nil`. 
+By default, the Dapr sidecar Injector injects a sidecar without any `seccompProfile`. However, to have Dapr sidecar container run successfully in a namespace with [Restricted](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted) profile, the sidecar container needs to have `securityContext.seccompProfile.Type` to not be `nil`. 
 
 Refer to [this]({{< ref "arguments-annotations-overview.md" >}}) documentation to set appropriate `seccompProfile` on sidecar container accordingly to which profile it would be running with.
 

From 597d6e6806323eb176ff2e38881d54bd09e6ac4c Mon Sep 17 00:00:00 2001
From: Mark Fussell <markfussell@gmail.com>
Date: Wed, 29 Mar 2023 13:42:10 -0700
Subject: [PATCH 5/5] Update
 daprdocs/content/en/operations/hosting/kubernetes/kubernetes-production.md

Signed-off-by: Mark Fussell <markfussell@gmail.com>
---
 .../en/operations/hosting/kubernetes/kubernetes-production.md   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/daprdocs/content/en/operations/hosting/kubernetes/kubernetes-production.md b/daprdocs/content/en/operations/hosting/kubernetes/kubernetes-production.md
index 641b25042..e958ea8c3 100644
--- a/daprdocs/content/en/operations/hosting/kubernetes/kubernetes-production.md
+++ b/daprdocs/content/en/operations/hosting/kubernetes/kubernetes-production.md
@@ -240,7 +240,7 @@ Refer to the documentation for the [Dapr operator]({{< ref operator >}}) service
 
 By default, the Dapr sidecar Injector injects a sidecar without any `seccompProfile`. However, to have Dapr sidecar container run successfully in a namespace with [Restricted](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted) profile, the sidecar container needs to have `securityContext.seccompProfile.Type` to not be `nil`. 
 
-Refer to [this]({{< ref "arguments-annotations-overview.md" >}}) documentation to set appropriate `seccompProfile` on sidecar container accordingly to which profile it would be running with.
+Refer to [this]({{< ref "arguments-annotations-overview.md" >}}) documentation to set appropriate `seccompProfile` on sidecar container according to which profile it is running with.
 
 ## Best Practices