kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[KEP-2413] Add docs for SeccompDefault graduation 

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
This commit is contained in:
Sascha Grunert 2023-03-10 08:24:51 +01:00
parent f0c2c17e4b
commit 3648d983c6
No known key found for this signature in database
GPG Key ID: 09D97D153EF94D93
2 changed files with 11 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
content/en/docs/reference/command-line-tools-reference/feature-gates.md
View File

@ -179,8 +179,6 @@ For a reference to old feature gates that are removed, please refer to
| `RotateKubeletServerCertificate` | `false` | Alpha | 1.7 | 1.11 | | `RotateKubeletServerCertificate` | `false` | Alpha | 1.7 | 1.11 |
| `RotateKubeletServerCertificate` | `true` | Beta | 1.12 | | | `RotateKubeletServerCertificate` | `true` | Beta | 1.12 | |
| `SELinuxMountReadWriteOncePod` | `false` | Alpha | 1.25 | | | `SELinuxMountReadWriteOncePod` | `false` | Alpha | 1.25 | |
| `SeccompDefault` | `false` | Alpha | 1.22 | 1.24 |
| `SeccompDefault` | `true` | Beta | 1.25 | |
| `ServiceNodePortStaticSubrange` | `false` | Alpha | 1.27 | | | `ServiceNodePortStaticSubrange` | `false` | Alpha | 1.27 | |
| `SizeMemoryBackedVolumes` | `false` | Alpha | 1.20 | 1.21 | | `SizeMemoryBackedVolumes` | `false` | Alpha | 1.20 | 1.21 |
| `SizeMemoryBackedVolumes` | `true` | Beta | 1.22 | | | `SizeMemoryBackedVolumes` | `true` | Beta | 1.22 | |
@ -308,6 +306,9 @@ For a reference to old feature gates that are removed, please refer to
| `RemoveSelfLink` | `false` | Alpha | 1.16 | 1.19 | | `RemoveSelfLink` | `false` | Alpha | 1.16 | 1.19 |
| `RemoveSelfLink` | `true` | Beta | 1.20 | 1.23 | | `RemoveSelfLink` | `true` | Beta | 1.20 | 1.23 |
| `RemoveSelfLink` | `true` | GA | 1.24 | - | | `RemoveSelfLink` | `true` | GA | 1.24 | - |
| `SeccompDefault` | `false` | Alpha | 1.22 | 1.24 |
| `SeccompDefault` | `true` | Beta | 1.25 | 1.26 |
| `SeccompDefault` | `true` | GA | 1.27 | - |
| `ServerSideApply` | `false` | Alpha | 1.14 | 1.15 | | `ServerSideApply` | `false` | Alpha | 1.14 | 1.15 |
| `ServerSideApply` | `true` | Beta | 1.16 | 1.21 | | `ServerSideApply` | `true` | Beta | 1.16 | 1.21 |
| `ServerSideApply` | `true` | GA | 1.22 | - | | `ServerSideApply` | `true` | GA | 1.22 | - |

23
content/en/docs/tutorials/security/seccomp.md
View File

@ -156,14 +156,12 @@ running within kind.
## Enable the use of `RuntimeDefault` as the default seccomp profile for all workloads ## Enable the use of `RuntimeDefault` as the default seccomp profile for all workloads
{{< feature-state state="beta" for_k8s_version="v1.25" >}} {{< feature-state state="stable" for_k8s_version="v1.27" >}}
To use seccomp profile defaulting, you must run the kubelet with the `SeccompDefault` To use seccomp profile defaulting, you must run the kubelet with the
[feature gate](/docs/reference/command-line-tools-reference/feature-gates/) enabled `--seccomp-default`
(this is the default). You must also explicitly enable the defaulting behavior for each [command line flag](/docs/reference/command-line-tools-reference/kubelet)
node where you want to use this with the corresponding `--seccomp-default` enabled for each node where you want to use it.
[command line flag](/docs/reference/command-line-tools-reference/kubelet).
Both have to be enabled simultaneously to use the feature.
If enabled, the kubelet will use the `RuntimeDefault` seccomp profile by default, which is If enabled, the kubelet will use the `RuntimeDefault` seccomp profile by default, which is
defined by the container runtime, instead of using the `Unconfined` (seccomp disabled) mode. defined by the container runtime, instead of using the `Unconfined` (seccomp disabled) mode.
@ -200,10 +198,8 @@ in the related Kubernetes Enhancement Proposal (KEP):
Kubernetes {{< skew currentVersion >}} lets you configure the seccomp profile Kubernetes {{< skew currentVersion >}} lets you configure the seccomp profile
that applies when the spec for a Pod doesn't define a specific seccomp profile. that applies when the spec for a Pod doesn't define a specific seccomp profile.
This is a beta feature and the corresponding `SeccompDefault` [feature However, you still need to enable this defaulting for each node where you would
gate](/docs/reference/command-line-tools-reference/feature-gates/) is enabled by like to use it.
default. However, you still need to enable this defaulting for each node where
you would like to use it.
If you are running a Kubernetes {{< skew currentVersion >}} cluster and want to If you are running a Kubernetes {{< skew currentVersion >}} cluster and want to
enable the feature, either run the kubelet with the `--seccomp-default` command enable the feature, either run the kubelet with the `--seccomp-default` command
@ -216,8 +212,6 @@ the minimum required Kubernetes version and enables the `SeccompDefault` feature
```yaml ```yaml
kind: Cluster kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4 apiVersion: kind.x-k8s.io/v1alpha4
featureGates:
SeccompDefault: true
nodes: nodes:
- role: control-plane - role: control-plane
image: kindest/node:v1.23.0@sha256:49824ab1727c04e56a21a5d8372a402fcd32ea51ac96a2706a12af38934f81ac image: kindest/node:v1.23.0@sha256:49824ab1727c04e56a21a5d8372a402fcd32ea51ac96a2706a12af38934f81ac
@ -234,7 +228,6 @@ nodes:
kind: JoinConfiguration kind: JoinConfiguration
nodeRegistration: nodeRegistration:
kubeletExtraArgs: kubeletExtraArgs:
feature-gates: SeccompDefault=true
seccomp-default: "true" seccomp-default: "true"
``` ```
@ -272,7 +265,7 @@ or not. You can adopt these defaults for your workload by setting the seccomp
type in the security context of a pod or container to `RuntimeDefault`. type in the security context of a pod or container to `RuntimeDefault`.
{{< note >}} {{< note >}}
If you have the `SeccompDefault` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/) If you have the `seccompDefault` [configuration](/docs/reference/config-api/kubelet-config.v1beta1/)
enabled, then Pods use the `RuntimeDefault` seccomp profile whenever enabled, then Pods use the `RuntimeDefault` seccomp profile whenever
no other seccomp profile is specified. Otherwise, the default is `Unconfined`. no other seccomp profile is specified. Otherwise, the default is `Unconfined`.
{{< /note >}} {{< /note >}}