enhancements icon indicating copy to clipboard operation
enhancements copied to clipboard
verified publisher icon kubernetes

Seccomp

Open pweil- opened this issue 9 years ago • 144 comments

Description

Seccomp support is providing the ability to define seccomp profiles and configure pods to run with those profiles. This includes the ability control usage of the profiles via PSP as well as maintaining the ability to run as unconfined or with the default container runtime profile.

KEP: sig-node/20190717-seccomp-ga.md Latest PR to update the KEP: #1747

Progress Tracker

  • [x] Alpha
    • [x] Write and maintain draft quality doc: available in downstream OpenShift https://github.com/openshift/openshift-docs/pull/2975
    • [x] Design Approval
      • [x] Design Proposal #24602
      • [x] Decide which repo this feature's code will be checked into. Not everything needs to land in the core kubernetes repo. REPO-NAME
      • [x] Initial API review (if API). Maybe same PR as design doc. https://github.com/kubernetes/kubernetes/pull/24602
        • Any code that changes an API (/pkg/apis/...)
        • cc @kubernetes/api
      • [x] Identify shepherd (your SIG lead and/or [email protected] will be able to help you). My Shepherd is: [email protected] (and/or GH Handle)
        • A shepherd is an individual who will help acquaint you with the process of getting your feature into the repo, identify reviewers and provide feedback on the feature. They are not (necessarily) the code reviewer of the feature, or tech lead for the area.
        • The shepherd is not responsible for showing up to Kubernetes-PM meetings and/or communicating if the feature is on-track to make the release goals. That is still your responsibility.
      • [x] Identify secondary/backup contact point. My Secondary Contact Point is: [email protected] (and/or GH Handle)
    • [x] Write (code + tests + docs) then get them merged. https://github.com/kubernetes/kubernetes/pull/25324 https://github.com/kubernetes/kubernetes/pull/26710 https://github.com/kubernetes/kubernetes/pull/27036
      • [x] ~~Code needs to be disabled by default. Verified by code OWNERS~~
      • [x] Minimal testing: limited e2e tests https://github.com/kubernetes/kubernetes/blob/33ebe1f18b9cf5909931376f656e19e80ac9ac1c/test/e2e/security_context.go#L110
      • [x] Minimal docs
        • cc @kubernetes/docs on docs PR
        • cc @kubernetes/feature-reviewers on this issue to get approval before checking this off
        • New apis: Glossary Section Item in the docs repo: kubernetes/kubernetes.github.io
      • [x] Update release notes https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG.md/#changes-since-v130-alpha4
  • [x] Beta
    • [x] Testing is sufficient for beta
    • [x] User docs with tutorials
      • Updated walkthrough / tutorial in the docs repo: kubernetes/kubernetes.github.io
      • cc @kubernetes/docs on docs PR
      • cc @kubernetes/feature-reviewers on this issue to get approval before checking this off
    • [x] Thorough API review
      • cc @kubernetes/api
  • [x] Stable
    • [x] docs/proposals/foo.md moved to docs/design/foo.md
      • cc @kubernetes/feature-reviewers on this issue to get approval before checking this off
    • [x] Soak, load testing
    • [x] detailed user docs and examples
      • cc @kubernetes/docs
      • cc @kubernetes/feature-reviewers on this issue to get approval before checking this off

FEATURE_STATUS is used for feature tracking and to be updated by @kubernetes/feature-reviewers. FEATURE_STATUS: IN_DEVELOPMENT

More advice:

Design

  • Once you get LGTM from a @kubernetes/feature-reviewers member, you can check this checkbox, and the reviewer will apply the "design-complete" label.

Coding

  • Use as many PRs as you need. Write tests in the same or different PRs, as is convenient for you.
  • As each PR is merged, add a comment to this issue referencing the PRs. Code goes in the http://github.com/kubernetes/kubernetes repository, and sometimes http://github.com/kubernetes/contrib, or other repos.
  • When you are done with the code, apply the "code-complete" label.
  • When the feature has user docs, please add a comment mentioning @kubernetes/feature-reviewers and they will check that the code matches the proposed feature and design, and that everything is done, and that there is adequate testing. They won't do detailed code review: that already happened when your PRs were reviewed. When that is done, you can check this box and the reviewer will apply the "code-complete" label.

Docs

  • [x] Write user docs and get them merged in.
  • User docs go into http://github.com/kubernetes/kubernetes.github.io.
  • When the feature has user docs, please add a comment mentioning @kubernetes/docs.
  • When you get LGTM, you can check this checkbox, and the reviewer will apply the "docs-complete" label.

pweil- avatar Oct 25 '16 14:10 pweil-

@derekwaynecarr @sttts @erictune didn't see an issue for this but it is already in alpha. Creating this as the reminder to push it through to beta and stable.

@sttts could you provide the appropriate links to docs and PRs? I think you are closest to this code.

pweil- avatar Oct 25 '16 14:10 pweil-

@pweil- @sttts - per our discussion, this is a feature we would like to sponsor in Kubernetes 1.6 under @kubernetes/sig-node

derekwaynecarr avatar Oct 25 '16 16:10 derekwaynecarr

@pweil- @derekwaynecarr please, confirm that this feature has to be set with 1.6 milestone.

idvoretskyi avatar Oct 26 '16 12:10 idvoretskyi

@idvoretskyi we target to move it to beta for 1.6.

sttts avatar Oct 26 '16 12:10 sttts

@sttts thanks.

idvoretskyi avatar Oct 26 '16 12:10 idvoretskyi

Looks like this is still alpha:

https://github.com/kubernetes/community/blob/master/contributors/design-proposals/seccomp.md https://github.com/kubernetes/kubernetes/blob/master/pkg/api/annotation_key_constants.go#L35

And I couldn't find any documentation on kubernetes.io/docs.

bgrant0607 avatar May 30 '17 16:05 bgrant0607

@pweil- any updates for 1.8? Is this feature still on track for the release?

idvoretskyi avatar Sep 05 '17 14:09 idvoretskyi

@idvoretskyi this was not a priority for 1.8. @php-coder can you add a card to this for our PM planning? We need to stop letting this fall through the cracks and get it moved to beta and GA.

pweil- avatar Sep 11 '17 14:09 pweil-

@pweil- if this feature is not planned for 1.8 - please, update the milestone with the "next-milestone" or "1.9"

idvoretskyi avatar Sep 12 '17 14:09 idvoretskyi

I'd like to see this get to beta. Priorities (or requirements) for that include:

  1. Annotations (Pod & PodSecurityPolicy) must be moved to fields on the container SecurityContext (see https://github.com/kubernetes/community/blob/master/contributors/devel/api_changes.md#alpha-field-in-existing-api-version)
  2. Settle on the OCI spec seccomp format, and define a Kubernetes default profile (can we reuse Docker's?) https://github.com/kubernetes/kubernetes/issues/39128 a. Figure out how the Kubernetes profile is delivered to the container runtime via CRI (/cc @yujuhong @Random-Liu ) b. docker/default should still be allowed if the runtime is docker (for backwards compatibility)
  3. The Kubernetes default profile should be the new default. For backwards compatibility, this MUST be optional behavior (i.e. flag controlled). https://github.com/kubernetes/kubernetes/issues/39845

Is anyone interested in driving this work for the 1.9 (or 1.10) milestone? @jessfraz @kubernetes/sig-auth-feature-requests and @kubernetes/sig-node-feature-requests I'm looking at you :wink:

Also relevant: https://github.com/kubernetes/community/pull/660 (do we need to settle the decisions in that PR before proceeding?)

tallclair avatar Sep 23 '17 00:09 tallclair

/cc @destijl

tallclair avatar Sep 23 '17 00:09 tallclair

If someone has time and wants to do it they are more than welcome to and I will help answer any questions

On Sep 22, 2017 20:54, "Tim Allclair (St. Clair)" [email protected] wrote:

/cc @destijl https://github.com/destijl

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/kubernetes/features/issues/135#issuecomment-331593048, or mute the thread https://github.com/notifications/unsubscribe-auth/ABYNbDldlrwbOP75Y2AKM-bUFLnwrq0eks5slFbcgaJpZM4KgBy_ .

jessfraz avatar Sep 24 '17 15:09 jessfraz

ok I will update the proposal and start on this tomorrow if no one else will ;)

jessfraz avatar Oct 18 '17 21:10 jessfraz

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close.

Prevent issues from auto-closing with an /lifecycle frozen comment.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or @fejta. /lifecycle stale

fejta-bot avatar Jan 16 '18 21:01 fejta-bot

Hey @jessfraz not sure if you got anywhere on this - I don't have bandwidth to code it, but happy to help test...

jlk avatar Jan 17 '18 01:01 jlk

Stale issues rot after 30d of inactivity. Mark the issue as fresh with /remove-lifecycle rotten. Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /lifecycle rotten /remove-lifecycle stale

fejta-bot avatar Feb 16 '18 01:02 fejta-bot

Rotten issues close after 30d of inactivity. Reopen the issue with /reopen. Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /close

fejta-bot avatar Mar 25 '18 21:03 fejta-bot

/reopen /lifecycle frozen /remove-lifecycle rotten

php-coder avatar Mar 26 '18 11:03 php-coder

@php-coder: you can't re-open an issue/PR unless you authored it or you are assigned to it.

In response to this:

/reopen /lifecycle frozen /remove-lifecycle rotten

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

k8s-ci-robot avatar Mar 26 '18 11:03 k8s-ci-robot

/reopen /lifecycle frozen

On Mon, Mar 26, 2018 at 7:07 AM, k8s-ci-robot [email protected] wrote:

@php-coder https://github.com/php-coder: you can't re-open an issue/PR unless you authored it or you are assigned to it.

In response to this https://github.com/kubernetes/features/issues/135#issuecomment-376129291 :

/reopen /lifecycle frozen /remove-lifecycle rotten

Instructions for interacting with me using PR comments are available here https://git.k8s.io/community/contributors/devel/pull-requests.md. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue: repository.

— You are receiving this because you are on a team that was mentioned. Reply to this email directly, view it on GitHub https://github.com/kubernetes/features/issues/135#issuecomment-376129294, or mute the thread https://github.com/notifications/unsubscribe-auth/ABG_p9EwKebniej_GySRKSvzrCMITOA1ks5tiMvrgaJpZM4KgBy_ .

smarterclayton avatar Mar 27 '18 04:03 smarterclayton

@smarterclayton: you can't re-open an issue/PR unless you authored it or you are assigned to it.

In response to this:

/reopen /lifecycle frozen

On Mon, Mar 26, 2018 at 7:07 AM, k8s-ci-robot [email protected] wrote:

@php-coder https://github.com/php-coder: you can't re-open an issue/PR unless you authored it or you are assigned to it.

In response to this https://github.com/kubernetes/features/issues/135#issuecomment-376129291 :

/reopen /lifecycle frozen /remove-lifecycle rotten

Instructions for interacting with me using PR comments are available here https://git.k8s.io/community/contributors/devel/pull-requests.md. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue: repository.

— You are receiving this because you are on a team that was mentioned. Reply to this email directly, view it on GitHub https://github.com/kubernetes/features/issues/135#issuecomment-376129294, or mute the thread https://github.com/notifications/unsubscribe-auth/ABG_p9EwKebniej_GySRKSvzrCMITOA1ks5tiMvrgaJpZM4KgBy_ .

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

k8s-ci-robot avatar Mar 27 '18 04:03 k8s-ci-robot

/reopen

idvoretskyi avatar Mar 27 '18 05:03 idvoretskyi

@idvoretskyi: you can't re-open an issue/PR unless you authored it or you are assigned to it.

In response to this:

/reopen

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

k8s-ci-robot avatar Mar 27 '18 05:03 k8s-ci-robot

Ihor 1, bot 0

smarterclayton avatar Mar 29 '18 01:03 smarterclayton

@pweil- @php-coder @jessfraz Any plans for this in 1.11?

If so, can you please ensure the feature is up-to-date with the appropriate:

  • Description
  • Milestone
  • Assignee(s)
  • Labels:
    • stage/{alpha,beta,stable}
    • sig/*
    • kind/feature

cc @idvoretskyi

justaugustus avatar Apr 17 '18 03:04 justaugustus

@wangzhen127 is working on it, but can't be assigned as he's not a member yet.

https://github.com/kubernetes/kubernetes/pull/62662 https://github.com/kubernetes/kubernetes/pull/62671

tallclair avatar Apr 17 '18 23:04 tallclair

Thanks for the update, Tim! /remove-lifecycle frozen

justaugustus avatar Apr 20 '18 05:04 justaugustus

@pweil- @tallclair -- We're doing one more sweep of the 1.11 Features tracking spreadsheet. Would you mind filling in any incomplete / blank fields for this feature's line item?

justaugustus avatar Jun 04 '18 01:06 justaugustus

@pweil- @tallclair -- this feature has been removed from the 1.11 milestone, as there have been no updates w.r.t. progress or docs.

cc: @jberkus

justaugustus avatar Jun 15 '18 17:06 justaugustus

@pweil- @tallclair @kubernetes/sig-auth-feature-requests @kubernetes/sig-node-feature-requests --

This feature was removed from the previous milestone, so we'd like to check in and see if there are any plans for this in Kubernetes 1.12.

If so, please ensure that this issue is up-to-date with ALL of the following information:

  • One-line feature description (can be used as a release note):
  • Primary contact (assignee):
  • Responsible SIGs:
  • Design proposal link (community repo):
  • Link to e2e and/or unit tests:
  • Reviewer(s) - (for LGTM) recommend having 2+ reviewers (at least one from code-area OWNERS file) agreed to review. Reviewers from multiple companies preferred:
  • Approver (likely from SIG/area to which feature belongs):
  • Feature target (which target equals to which milestone):
    • Alpha release target (x.y)
    • Beta release target (x.y)
    • Stable release target (x.y)

Please note that the Features Freeze is July 31st, after which any incomplete Feature issues will require an Exception request to be accepted into the milestone.

In addition, please be aware of the following relevant deadlines:

  • Docs deadline (open placeholder PRs): 8/21
  • Test case freeze: 8/28

Please make sure all PRs for features have relevant release notes included as well.

Happy shipping!

/cc @justaugustus @kacole2 @robertsandoval @rajendar38

justaugustus avatar Jul 17 '18 22:07 justaugustus