gatekeeper-library
gatekeeper-library copied to clipboard
open-policy-agent
Support spec.securityContext.seccompProfile
In Kubernetes v1.19, seccomp graduated to GA which meant the seccomp annotations (seccomp.security.alpha.kubernetes.io/pod: runtime/default) were deprecated:
W0514 13:03:16.997735 41392 warnings.go:70] spec.template.metadata.annotations[container.seccomp.security.alpha.kubernetes.io/manager]:
deprecated since v1.19; use the "seccompProfile" field instead
The "k8spspseccomp" mutating constraint should probably be updated to check both the annotation and the new field, at least until v1.25 comes out: https://github.com/open-policy-agent/gatekeeper-library/blob/259ad1bdd8945d6df451d3fc2867109d76b854e2/mutation/pod-security-policy/seccomp/samples/mutation.yaml
This issue and #188 makes me think we might need to a mechanism for creating constraints that do different things depending on the k8s version.
Oh it already checks the securityContext, nvm: https://github.com/open-policy-agent/gatekeeper-library/blob/259ad1bdd8945d6df451d3fc2867109d76b854e2/library/pod-security-policy/seccomp/template.yaml#L208
The mutating part does need to be updated still: https://github.com/open-policy-agent/gatekeeper-library/blob/259ad1bdd8945d6df451d3fc2867109d76b854e2/mutation/pod-security-policy/seccomp/samples/mutation.yaml
This issue/PR has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.
![stale[bot] avatar](https://avatars.githubusercontent.com/in/1724?v=4 "Published by a pub.dev verified publisher"){kind=small}