-
Notifications
You must be signed in to change notification settings - Fork 107
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SeccompProfile CRD: add new fields for seccomp notify #801
Conversation
Welcome @alban! |
Hi @alban. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm no maintainer here, but if it helps I have worked in the runtime-spec and runc changes and this LGTM :)
/ok-to-test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome, thank you for the contribution!
I just have one nit which may block the boilerplate check. Otherwise LGTM
build / bpf-btf is fixed in #798 |
Seccomp notify is a new feature in container runtimes introduced by - https:/opencontainers/runtime-spec PR 1074 - https:/opencontainers/runc PR 2682 (available in runc 1.1.0) This patch adds: - The new seccomp action SCMP_ACT_NOTIFY to defer the decision to a seccomp agent - The ListenerPath and ListenerMetadata fields so the runtime can contact the seccomp agent. Note that the flag SECCOMP_FILTER_FLAG_NEW_LISTENER is not added. See https:/opencontainers/runtime-spec PR 1096 for details.
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: alban, saschagrunert The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Will merge after |
What type of PR is this?
/kind feature
/kind api-change
What this PR does / why we need it:
This PR adds support for Seccomp Profiles that make use of the Seccomp Notify feature. Seccomp Notify is a new feature in container runtimes introduced by
This patch adds:
seccomp agent
contact the seccomp agent.
Note that the flag SECCOMP_FILTER_FLAG_NEW_LISTENER is not added. See
opencontainers/runtime-spec#1096 for details.
We need this so users can install Seccomp Profiles on worker nodes.
Which issue(s) this PR fixes:
None
Does this PR have test?
No.
One could be implemented in a similar way to test/tc_base_profiles_test.go but then we would need to implement a Seccomp Agent listening on the UNIX socket just for the test. I don't think it is worth the complexity.
Special notes for your reviewer:
Does this PR introduce a user-facing change?
cc @rata @mauriciovasquezbernal