kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[KEP-2413] Add docs for SeccompDefault graduation 

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
This commit is contained in:
Sascha Grunert 2023-03-10 08:24:51 +01:00
parent f0c2c17e4b
commit 3648d983c6
No known key found for this signature in database
GPG Key ID: 09D97D153EF94D93
2 changed files with 11 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
content/en/docs/reference/command-line-tools-reference/feature-gates.md
View File

@ -179,8 +179,6 @@ For a reference to old feature gates that are removed, please refer to
| `RotateKubeletServerCertificate` | `false` | Alpha | 1.7 | 1.11 |
| `RotateKubeletServerCertificate` | `true` | Beta | 1.12 | |
| `SELinuxMountReadWriteOncePod` | `false` | Alpha | 1.25 | |
| `SeccompDefault` | `false` | Alpha | 1.22 | 1.24 |
| `SeccompDefault` | `true` | Beta | 1.25 | |
| `ServiceNodePortStaticSubrange` | `false` | Alpha | 1.27 | |
| `SizeMemoryBackedVolumes` | `false` | Alpha | 1.20 | 1.21 |
| `SizeMemoryBackedVolumes` | `true` | Beta | 1.22 | |
@ -308,6 +306,9 @@ For a reference to old feature gates that are removed, please refer to
| `RemoveSelfLink` | `false` | Alpha | 1.16 | 1.19 |
| `RemoveSelfLink` | `true` | Beta | 1.20 | 1.23 |
| `RemoveSelfLink` | `true` | GA | 1.24 | - |
| `SeccompDefault` | `false` | Alpha | 1.22 | 1.24 |
| `SeccompDefault` | `true` | Beta | 1.25 | 1.26 |
| `SeccompDefault` | `true` | GA | 1.27 | - |
| `ServerSideApply` | `false` | Alpha | 1.14 | 1.15 |
| `ServerSideApply` | `true` | Beta | 1.16 | 1.21 |
| `ServerSideApply` | `true` | GA | 1.22 | - |

23
content/en/docs/tutorials/security/seccomp.md
View File

@ -156,14 +156,12 @@ running within kind.
## Enable the use of `RuntimeDefault` as the default seccomp profile for all workloads
{{< feature-state state="beta" for_k8s_version="v1.25" >}}
{{< feature-state state="stable" for_k8s_version="v1.27" >}}
To use seccomp profile defaulting, you must run the kubelet with the `SeccompDefault`
[feature gate](/docs/reference/command-line-tools-reference/feature-gates/) enabled
(this is the default). You must also explicitly enable the defaulting behavior for each
node where you want to use this with the corresponding `--seccomp-default`
[command line flag](/docs/reference/command-line-tools-reference/kubelet).
Both have to be enabled simultaneously to use the feature.
To use seccomp profile defaulting, you must run the kubelet with the
`--seccomp-default`
[command line flag](/docs/reference/command-line-tools-reference/kubelet)
enabled for each node where you want to use it.
If enabled, the kubelet will use the `RuntimeDefault` seccomp profile by default, which is
defined by the container runtime, instead of using the `Unconfined` (seccomp disabled) mode.
@ -200,10 +198,8 @@ in the related Kubernetes Enhancement Proposal (KEP):
Kubernetes {{< skew currentVersion >}} lets you configure the seccomp profile
that applies when the spec for a Pod doesn't define a specific seccomp profile.
This is a beta feature and the corresponding `SeccompDefault` [feature
gate](/docs/reference/command-line-tools-reference/feature-gates/) is enabled by
default. However, you still need to enable this defaulting for each node where
you would like to use it.
However, you still need to enable this defaulting for each node where you would
like to use it.
If you are running a Kubernetes {{< skew currentVersion >}} cluster and want to
enable the feature, either run the kubelet with the `--seccomp-default` command
@ -216,8 +212,6 @@ the minimum required Kubernetes version and enables the `SeccompDefault` feature
```yaml
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
featureGates:
SeccompDefault: true
nodes:
- role: control-plane
image: kindest/node:v1.23.0@sha256:49824ab1727c04e56a21a5d8372a402fcd32ea51ac96a2706a12af38934f81ac
@ -234,7 +228,6 @@ nodes:
kind: JoinConfiguration
nodeRegistration:
kubeletExtraArgs:
feature-gates: SeccompDefault=true
seccomp-default: "true"
```
@ -272,7 +265,7 @@ or not. You can adopt these defaults for your workload by setting the seccomp
type in the security context of a pod or container to `RuntimeDefault`.
{{< note >}}
If you have the `SeccompDefault` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/)
If you have the `seccompDefault` [configuration](/docs/reference/config-api/kubelet-config.v1beta1/)
enabled, then Pods use the `RuntimeDefault` seccomp profile whenever
no other seccomp profile is specified. Otherwise, the default is `Unconfined`.
{{< /note >}}