security-profiles-operator icon indicating copy to clipboard operation
security-profiles-operator copied to clipboard
verified publisher icon kubernetes-sigs

Seccomp: Automated base profile generation

Open JAORMX opened this issue 3 years ago • 10 comments

Context

As container tooling evolves and more releases happen for the base tooling, we'll need to keep track by also shipping base profiles that match this. We do ship base profiles for runc and crun, however, in order to keep the tool relevant, we need to keep shipping newer versions of these profiles. In order to do this in a sustainable manner, we should resort to automated means to generate these profiles.

Request

The ask is to get CI jobs that would record base seccomp profiles and update them (or create new ones) as new versions come.

JAORMX avatar Mar 09 '22 11:03 JAORMX

@saschagrunert @jhrozek @pjbgf ideas for this are welcome

JAORMX avatar Mar 09 '22 11:03 JAORMX

Sounds like a great idea to me. The bpf recorder should be able to handle that in one of the test VMs (Fedora or Ubuntu).

saschagrunert avatar Mar 09 '22 11:03 saschagrunert

@saschagrunert do you have a reference of how you did the ones that are currently in the repo?

JAORMX avatar Mar 09 '22 15:03 JAORMX

We could use this vagrantfile as a base: https://github.com/kubernetes-sigs/security-profiles-operator/blob/main/hack/ci/Vagrantfile-ubuntu

And integrate it in the same way we run the e2e tests: https://github.com/kubernetes-sigs/security-profiles-operator/blob/721f81289a06d5f6a7c340f430a512189193cf8b/.github/workflows/test.yml#L98-L126

The CRI-O installation script already installs runc and crun. So we would need an additional step to install the selected runc version and point the CRI-O configuration (via a drop-in) to the runtime. After the cluster bootstrap I'd create the cert-manager as well as the operator (local image like we do it in the e2e tests). Then we could invoke a script to deploy the base recording and run a workload to collect the profile. This profile can be then collected as build artifact within the repository, while we error out of there is a diff between the generated and local ones. :)

saschagrunert avatar Mar 09 '22 16:03 saschagrunert

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar Jun 07 '22 17:06 k8s-triage-robot

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

k8s-triage-robot avatar Jul 07 '22 17:07 k8s-triage-robot

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Reopen this issue or PR with /reopen
  • Mark this issue or PR as fresh with /remove-lifecycle rotten
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close

k8s-triage-robot avatar Aug 06 '22 17:08 k8s-triage-robot

@k8s-triage-robot: Closing this issue.

In response to this:

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Reopen this issue or PR with /reopen
  • Mark this issue or PR as fresh with /remove-lifecycle rotten
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

k8s-ci-robot avatar Aug 06 '22 17:08 k8s-ci-robot

/reopen /remove-lifecycle rotten

JAORMX avatar Aug 12 '22 07:08 JAORMX

@JAORMX: Reopened this issue.

In response to this:

/reopen /remove-lifecycle rotten

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

k8s-ci-robot avatar Aug 12 '22 07:08 k8s-ci-robot

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar Nov 10 '22 07:11 k8s-triage-robot

/remove-lifecycle stale

vaibhav2107 avatar Nov 16 '22 11:11 vaibhav2107

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar Feb 14 '23 11:02 k8s-triage-robot

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle rotten
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

k8s-triage-robot avatar Mar 16 '23 12:03 k8s-triage-robot

That's done! :)

saschagrunert avatar Mar 16 '23 12:03 saschagrunert