kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #15919 from colinhoglund/add_seccompdefault_kubelet_flag 

Add `SeccompDefault` kubelet config
This commit is contained in:
Kubernetes Prow Robot 2023-09-16 21:20:13 -07:00 committed by GitHub
parent 75c34db5ab 2167dd8d82
commit d35af73936
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
11 changed files with 51 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
docs/cluster_spec.md
View File

@ -816,6 +816,20 @@ spec:
Note that Kubelet will fail to install the shutdown inhibtor on systems where logind is configured with an `InhibitDelayMaxSeconds` lower than `shutdownGracePeriod`. On Ubuntu, this setting is 30 seconds.
### SeccompDefault
[SeccompDefault](https://kubernetes.io/blog/2021/08/25/seccomp-default/) enables the use of `RuntimeDefault` as the default seccomp profile for all workloads. (Default: false)
Note that a feature gate is required to enable the feature, and the feature is turned on using kubelet config.
```yaml
spec:
kubelet:
featureGates:
SeccompDefault: "true"
seccompDefault: true
```
## kubeScheduler
This block contains configurations for `kube-scheduler`. See https://kubernetes.io/docs/admin/kube-scheduler/

8
k8s/crds/kops.k8s.io_clusters.yaml
View File

@ -3966,6 +3966,10 @@ spec:
description: RuntimeRequestTimeout is timeout for runtime requests
on - pull, logs, exec and attach
type: string
seccompDefault:
description: SeccompDefault enables the use of `RuntimeDefault`
as the default seccomp profile for all workloads.
type: boolean
seccompProfileRoot:
description: SeccompProfileRoot is the directory path for seccomp
profiles.
@ -4400,6 +4404,10 @@ spec:
description: RuntimeRequestTimeout is timeout for runtime requests
on - pull, logs, exec and attach
type: string
seccompDefault:
description: SeccompDefault enables the use of `RuntimeDefault`
as the default seccomp profile for all workloads.
type: boolean
seccompProfileRoot:
description: SeccompProfileRoot is the directory path for seccomp
profiles.

4
k8s/crds/kops.k8s.io_instancegroups.yaml
View File

@ -734,6 +734,10 @@ spec:
description: RuntimeRequestTimeout is timeout for runtime requests
on - pull, logs, exec and attach
type: string
seccompDefault:
description: SeccompDefault enables the use of `RuntimeDefault`
as the default seccomp profile for all workloads.
type: boolean
seccompProfileRoot:
description: SeccompProfileRoot is the directory path for seccomp
profiles.

2
pkg/apis/kops/componentconfig.go
View File

@ -57,6 +57,8 @@ type KubeletConfigSpec struct {
HostnameOverride string `json:"hostnameOverride,omitempty" flag:"hostname-override"`
// PodInfraContainerImage is the image whose network/ipc containers in each pod will use.
PodInfraContainerImage string `json:"podInfraContainerImage,omitempty" flag:"pod-infra-container-image"`
// SeccompDefault enables the use of `RuntimeDefault` as the default seccomp profile for all workloads.
SeccompDefault *bool `json:"seccompDefault,omitempty" flag:"seccomp-default"`
// SeccompProfileRoot is the directory path for seccomp profiles.
SeccompProfileRoot *string `json:"seccompProfileRoot,omitempty" flag:"seccomp-profile-root"`
// AllowPrivileged enables containers to request privileged mode (defaults to false)

2
pkg/apis/kops/v1alpha2/componentconfig.go
View File

@ -57,6 +57,8 @@ type KubeletConfigSpec struct {
HostnameOverride string `json:"hostnameOverride,omitempty" flag:"hostname-override"`
// PodInfraContainerImage is the image whose network/ipc containers in each pod will use.
PodInfraContainerImage string `json:"podInfraContainerImage,omitempty" flag:"pod-infra-container-image"`
// SeccompDefault enables the use of `RuntimeDefault` as the default seccomp profile for all workloads.
SeccompDefault *bool `json:"seccompDefault,omitempty" flag:"seccomp-default"`
// SeccompProfileRoot is the directory path for seccomp profiles.
SeccompProfileRoot *string `json:"seccompProfileRoot,omitempty" flag:"seccomp-profile-root"`
// AllowPrivileged enables containers to request privileged mode (defaults to false)

2
pkg/apis/kops/v1alpha2/zz_generated.conversion.go generated
View File

@ -5393,6 +5393,7 @@ func autoConvert_v1alpha2_KubeletConfigSpec_To_kops_KubeletConfigSpec(in *Kubele
out.PodManifestPath = in.PodManifestPath
out.HostnameOverride = in.HostnameOverride
out.PodInfraContainerImage = in.PodInfraContainerImage
out.SeccompDefault = in.SeccompDefault
out.SeccompProfileRoot = in.SeccompProfileRoot
out.AllowPrivileged = in.AllowPrivileged
out.EnableDebuggingHandlers = in.EnableDebuggingHandlers
@ -5494,6 +5495,7 @@ func autoConvert_kops_KubeletConfigSpec_To_v1alpha2_KubeletConfigSpec(in *kops.K
out.PodManifestPath = in.PodManifestPath
out.HostnameOverride = in.HostnameOverride
out.PodInfraContainerImage = in.PodInfraContainerImage
out.SeccompDefault = in.SeccompDefault
out.SeccompProfileRoot = in.SeccompProfileRoot
out.AllowPrivileged = in.AllowPrivileged
out.EnableDebuggingHandlers = in.EnableDebuggingHandlers

5
pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go generated
View File

@ -3753,6 +3753,11 @@ func (in *KubeletConfigSpec) DeepCopyInto(out *KubeletConfigSpec) {
*out = new(int32)
**out = **in
}
if in.SeccompDefault != nil {
in, out := &in.SeccompDefault, &out.SeccompDefault
*out = new(bool)
**out = **in
}
if in.SeccompProfileRoot != nil {
in, out := &in.SeccompProfileRoot, &out.SeccompProfileRoot
*out = new(string)

2
pkg/apis/kops/v1alpha3/componentconfig.go
View File

@ -57,6 +57,8 @@ type KubeletConfigSpec struct {
HostnameOverride string `json:"-"`
// PodInfraContainerImage is the image whose network/ipc containers in each pod will use.
PodInfraContainerImage string `json:"podInfraContainerImage,omitempty" flag:"pod-infra-container-image"`
// SeccompDefault enables the use of `RuntimeDefault` as the default seccomp profile for all workloads.
SeccompDefault *bool `json:"seccompDefault,omitempty" flag:"seccomp-default"`
// SeccompProfileRoot is the directory path for seccomp profiles.
SeccompProfileRoot *string `json:"seccompProfileRoot,omitempty" flag:"seccomp-profile-root"`
// AllowPrivileged was removed.

2
pkg/apis/kops/v1alpha3/zz_generated.conversion.go generated
View File

@ -5784,6 +5784,7 @@ func autoConvert_v1alpha3_KubeletConfigSpec_To_kops_KubeletConfigSpec(in *Kubele
out.PodManifestPath = in.PodManifestPath
out.HostnameOverride = in.HostnameOverride
out.PodInfraContainerImage = in.PodInfraContainerImage
out.SeccompDefault = in.SeccompDefault
out.SeccompProfileRoot = in.SeccompProfileRoot
out.AllowPrivileged = in.AllowPrivileged
out.EnableDebuggingHandlers = in.EnableDebuggingHandlers
@ -5885,6 +5886,7 @@ func autoConvert_kops_KubeletConfigSpec_To_v1alpha3_KubeletConfigSpec(in *kops.K
out.PodManifestPath = in.PodManifestPath
out.HostnameOverride = in.HostnameOverride
out.PodInfraContainerImage = in.PodInfraContainerImage
out.SeccompDefault = in.SeccompDefault
out.SeccompProfileRoot = in.SeccompProfileRoot
out.AllowPrivileged = in.AllowPrivileged
out.EnableDebuggingHandlers = in.EnableDebuggingHandlers

5
pkg/apis/kops/v1alpha3/zz_generated.deepcopy.go generated
View File

@ -3722,6 +3722,11 @@ func (in *KubeletConfigSpec) DeepCopyInto(out *KubeletConfigSpec) {
*out = new(int32)
**out = **in
}
if in.SeccompDefault != nil {
in, out := &in.SeccompDefault, &out.SeccompDefault
*out = new(bool)
**out = **in
}
if in.SeccompProfileRoot != nil {
in, out := &in.SeccompProfileRoot, &out.SeccompProfileRoot
*out = new(string)

5
pkg/apis/kops/zz_generated.deepcopy.go generated
View File

@ -3901,6 +3901,11 @@ func (in *KubeletConfigSpec) DeepCopyInto(out *KubeletConfigSpec) {
*out = new(int32)
**out = **in
}
if in.SeccompDefault != nil {
in, out := &in.SeccompDefault, &out.SeccompDefault
*out = new(bool)
**out = **in
}
if in.SeccompProfileRoot != nil {
in, out := &in.SeccompProfileRoot, &out.SeccompProfileRoot
*out = new(string)