diff --git a/docs/cluster_spec.md b/docs/cluster_spec.md index 9481ae74ea..7229e179d2 100644 --- a/docs/cluster_spec.md +++ b/docs/cluster_spec.md @@ -816,6 +816,20 @@ spec: Note that Kubelet will fail to install the shutdown inhibtor on systems where logind is configured with an `InhibitDelayMaxSeconds` lower than `shutdownGracePeriod`. On Ubuntu, this setting is 30 seconds. +### SeccompDefault + +[SeccompDefault](https://kubernetes.io/blog/2021/08/25/seccomp-default/) enables the use of `RuntimeDefault` as the default seccomp profile for all workloads. (Default: false) + +Note that a feature gate is required to enable the feature, and the feature is turned on using kubelet config. + +```yaml +spec: + kubelet: + featureGates: + SeccompDefault: "true" + seccompDefault: true +``` + ## kubeScheduler This block contains configurations for `kube-scheduler`. See https://kubernetes.io/docs/admin/kube-scheduler/ diff --git a/k8s/crds/kops.k8s.io_clusters.yaml b/k8s/crds/kops.k8s.io_clusters.yaml index 81ab6b9524..61010d0c03 100644 --- a/k8s/crds/kops.k8s.io_clusters.yaml +++ b/k8s/crds/kops.k8s.io_clusters.yaml @@ -3966,6 +3966,10 @@ spec: description: RuntimeRequestTimeout is timeout for runtime requests on - pull, logs, exec and attach type: string + seccompDefault: + description: SeccompDefault enables the use of `RuntimeDefault` + as the default seccomp profile for all workloads. + type: boolean seccompProfileRoot: description: SeccompProfileRoot is the directory path for seccomp profiles. @@ -4400,6 +4404,10 @@ spec: description: RuntimeRequestTimeout is timeout for runtime requests on - pull, logs, exec and attach type: string + seccompDefault: + description: SeccompDefault enables the use of `RuntimeDefault` + as the default seccomp profile for all workloads. + type: boolean seccompProfileRoot: description: SeccompProfileRoot is the directory path for seccomp profiles. diff --git a/k8s/crds/kops.k8s.io_instancegroups.yaml b/k8s/crds/kops.k8s.io_instancegroups.yaml index d0e3b79e39..9ef52b9308 100644 --- a/k8s/crds/kops.k8s.io_instancegroups.yaml +++ b/k8s/crds/kops.k8s.io_instancegroups.yaml @@ -734,6 +734,10 @@ spec: description: RuntimeRequestTimeout is timeout for runtime requests on - pull, logs, exec and attach type: string + seccompDefault: + description: SeccompDefault enables the use of `RuntimeDefault` + as the default seccomp profile for all workloads. + type: boolean seccompProfileRoot: description: SeccompProfileRoot is the directory path for seccomp profiles. diff --git a/pkg/apis/kops/componentconfig.go b/pkg/apis/kops/componentconfig.go index c446a54bfa..9bf3826529 100644 --- a/pkg/apis/kops/componentconfig.go +++ b/pkg/apis/kops/componentconfig.go @@ -57,6 +57,8 @@ type KubeletConfigSpec struct { HostnameOverride string `json:"hostnameOverride,omitempty" flag:"hostname-override"` // PodInfraContainerImage is the image whose network/ipc containers in each pod will use. PodInfraContainerImage string `json:"podInfraContainerImage,omitempty" flag:"pod-infra-container-image"` + // SeccompDefault enables the use of `RuntimeDefault` as the default seccomp profile for all workloads. + SeccompDefault *bool `json:"seccompDefault,omitempty" flag:"seccomp-default"` // SeccompProfileRoot is the directory path for seccomp profiles. SeccompProfileRoot *string `json:"seccompProfileRoot,omitempty" flag:"seccomp-profile-root"` // AllowPrivileged enables containers to request privileged mode (defaults to false) diff --git a/pkg/apis/kops/v1alpha2/componentconfig.go b/pkg/apis/kops/v1alpha2/componentconfig.go index 6c47818e2b..3a25ef8428 100644 --- a/pkg/apis/kops/v1alpha2/componentconfig.go +++ b/pkg/apis/kops/v1alpha2/componentconfig.go @@ -57,6 +57,8 @@ type KubeletConfigSpec struct { HostnameOverride string `json:"hostnameOverride,omitempty" flag:"hostname-override"` // PodInfraContainerImage is the image whose network/ipc containers in each pod will use. PodInfraContainerImage string `json:"podInfraContainerImage,omitempty" flag:"pod-infra-container-image"` + // SeccompDefault enables the use of `RuntimeDefault` as the default seccomp profile for all workloads. + SeccompDefault *bool `json:"seccompDefault,omitempty" flag:"seccomp-default"` // SeccompProfileRoot is the directory path for seccomp profiles. SeccompProfileRoot *string `json:"seccompProfileRoot,omitempty" flag:"seccomp-profile-root"` // AllowPrivileged enables containers to request privileged mode (defaults to false) diff --git a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go index 8e2bf472b4..47f9d3e1fb 100644 --- a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go +++ b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go @@ -5393,6 +5393,7 @@ func autoConvert_v1alpha2_KubeletConfigSpec_To_kops_KubeletConfigSpec(in *Kubele out.PodManifestPath = in.PodManifestPath out.HostnameOverride = in.HostnameOverride out.PodInfraContainerImage = in.PodInfraContainerImage + out.SeccompDefault = in.SeccompDefault out.SeccompProfileRoot = in.SeccompProfileRoot out.AllowPrivileged = in.AllowPrivileged out.EnableDebuggingHandlers = in.EnableDebuggingHandlers @@ -5494,6 +5495,7 @@ func autoConvert_kops_KubeletConfigSpec_To_v1alpha2_KubeletConfigSpec(in *kops.K out.PodManifestPath = in.PodManifestPath out.HostnameOverride = in.HostnameOverride out.PodInfraContainerImage = in.PodInfraContainerImage + out.SeccompDefault = in.SeccompDefault out.SeccompProfileRoot = in.SeccompProfileRoot out.AllowPrivileged = in.AllowPrivileged out.EnableDebuggingHandlers = in.EnableDebuggingHandlers diff --git a/pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go b/pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go index 47caff87ae..e423dff845 100644 --- a/pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go +++ b/pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go @@ -3753,6 +3753,11 @@ func (in *KubeletConfigSpec) DeepCopyInto(out *KubeletConfigSpec) { *out = new(int32) **out = **in } + if in.SeccompDefault != nil { + in, out := &in.SeccompDefault, &out.SeccompDefault + *out = new(bool) + **out = **in + } if in.SeccompProfileRoot != nil { in, out := &in.SeccompProfileRoot, &out.SeccompProfileRoot *out = new(string) diff --git a/pkg/apis/kops/v1alpha3/componentconfig.go b/pkg/apis/kops/v1alpha3/componentconfig.go index 2105376e58..b51fd207fa 100644 --- a/pkg/apis/kops/v1alpha3/componentconfig.go +++ b/pkg/apis/kops/v1alpha3/componentconfig.go @@ -57,6 +57,8 @@ type KubeletConfigSpec struct { HostnameOverride string `json:"-"` // PodInfraContainerImage is the image whose network/ipc containers in each pod will use. PodInfraContainerImage string `json:"podInfraContainerImage,omitempty" flag:"pod-infra-container-image"` + // SeccompDefault enables the use of `RuntimeDefault` as the default seccomp profile for all workloads. + SeccompDefault *bool `json:"seccompDefault,omitempty" flag:"seccomp-default"` // SeccompProfileRoot is the directory path for seccomp profiles. SeccompProfileRoot *string `json:"seccompProfileRoot,omitempty" flag:"seccomp-profile-root"` // AllowPrivileged was removed. diff --git a/pkg/apis/kops/v1alpha3/zz_generated.conversion.go b/pkg/apis/kops/v1alpha3/zz_generated.conversion.go index 1189b3f96d..135c4b6eeb 100644 --- a/pkg/apis/kops/v1alpha3/zz_generated.conversion.go +++ b/pkg/apis/kops/v1alpha3/zz_generated.conversion.go @@ -5784,6 +5784,7 @@ func autoConvert_v1alpha3_KubeletConfigSpec_To_kops_KubeletConfigSpec(in *Kubele out.PodManifestPath = in.PodManifestPath out.HostnameOverride = in.HostnameOverride out.PodInfraContainerImage = in.PodInfraContainerImage + out.SeccompDefault = in.SeccompDefault out.SeccompProfileRoot = in.SeccompProfileRoot out.AllowPrivileged = in.AllowPrivileged out.EnableDebuggingHandlers = in.EnableDebuggingHandlers @@ -5885,6 +5886,7 @@ func autoConvert_kops_KubeletConfigSpec_To_v1alpha3_KubeletConfigSpec(in *kops.K out.PodManifestPath = in.PodManifestPath out.HostnameOverride = in.HostnameOverride out.PodInfraContainerImage = in.PodInfraContainerImage + out.SeccompDefault = in.SeccompDefault out.SeccompProfileRoot = in.SeccompProfileRoot out.AllowPrivileged = in.AllowPrivileged out.EnableDebuggingHandlers = in.EnableDebuggingHandlers diff --git a/pkg/apis/kops/v1alpha3/zz_generated.deepcopy.go b/pkg/apis/kops/v1alpha3/zz_generated.deepcopy.go index 5ec82fdf50..32fdaf53e2 100644 --- a/pkg/apis/kops/v1alpha3/zz_generated.deepcopy.go +++ b/pkg/apis/kops/v1alpha3/zz_generated.deepcopy.go @@ -3722,6 +3722,11 @@ func (in *KubeletConfigSpec) DeepCopyInto(out *KubeletConfigSpec) { *out = new(int32) **out = **in } + if in.SeccompDefault != nil { + in, out := &in.SeccompDefault, &out.SeccompDefault + *out = new(bool) + **out = **in + } if in.SeccompProfileRoot != nil { in, out := &in.SeccompProfileRoot, &out.SeccompProfileRoot *out = new(string) diff --git a/pkg/apis/kops/zz_generated.deepcopy.go b/pkg/apis/kops/zz_generated.deepcopy.go index fc8950d970..c7a91e28e8 100644 --- a/pkg/apis/kops/zz_generated.deepcopy.go +++ b/pkg/apis/kops/zz_generated.deepcopy.go @@ -3901,6 +3901,11 @@ func (in *KubeletConfigSpec) DeepCopyInto(out *KubeletConfigSpec) { *out = new(int32) **out = **in } + if in.SeccompDefault != nil { + in, out := &in.SeccompDefault, &out.SeccompDefault + *out = new(bool) + **out = **in + } if in.SeccompProfileRoot != nil { in, out := &in.SeccompProfileRoot, &out.SeccompProfileRoot *out = new(string)