From 3e48467a277671884c6ad30f110165965cba57c4 Mon Sep 17 00:00:00 2001 From: mtilson Date: Tue, 4 Jan 2022 21:40:48 +0300 Subject: [PATCH 1/2] Remove extra command and fix reference to profile --- content/en/docs/tutorials/clusters/seccomp.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/content/en/docs/tutorials/clusters/seccomp.md b/content/en/docs/tutorials/clusters/seccomp.md index 2d4ec69999..09c51d960b 100644 --- a/content/en/docs/tutorials/clusters/seccomp.md +++ b/content/en/docs/tutorials/clusters/seccomp.md @@ -345,14 +345,13 @@ only the privileges they need. Clean up that Pod and Service before moving to the next section: ```shell -kubectl delete service violation-pod --wait kubectl delete pod violation-pod --wait --now ``` ## Create Pod with seccomp profile that only allows necessary syscalls -If you take a look at the `fine-pod.json`, you will notice some of the syscalls -seen in the first example where the profile set `"defaultAction": +If you take a look at the `fine-grained.json` profile, you will notice some of the syscalls +seen in syslog of the first example where the profile set `"defaultAction": "SCMP_ACT_LOG"`. Now the profile is setting `"defaultAction": "SCMP_ACT_ERRNO"`, but explicitly allowing a set of syscalls in the `"action": "SCMP_ACT_ALLOW"` block. Ideally, the container will run successfully and you will see no messages From 5e964818e81c8afdedc231df94a83509e4ee8007 Mon Sep 17 00:00:00 2001 From: mtilson Date: Wed, 5 Jan 2022 02:15:41 +0300 Subject: [PATCH 2/2] Remove "Service" as well --- content/en/docs/tutorials/clusters/seccomp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/docs/tutorials/clusters/seccomp.md b/content/en/docs/tutorials/clusters/seccomp.md index 09c51d960b..465dd1b1a0 100644 --- a/content/en/docs/tutorials/clusters/seccomp.md +++ b/content/en/docs/tutorials/clusters/seccomp.md @@ -342,7 +342,7 @@ syscalls. Here seccomp has been instructed to error on any syscall by setting ability to do anything meaningful. What you really want is to give workloads only the privileges they need. -Clean up that Pod and Service before moving to the next section: +Clean up that Pod before moving to the next section: ```shell kubectl delete pod violation-pod --wait --now