Browse Source

Delivery of default seccomp Profile on each Host on site deployment

- A new schema for a Deckhand document that contains a Seccomp default
  profile.
- A Seccomp profile that creates the default seccomp profile file
  at defined seccomp profile root.
- A bootaction that puts the default seccomp profile in place.
- Modified Kubelet config to support seccomp profile root dir's path.

Similar changes in Airship-Treasuremap :
  https://review.openstack.org/#/c/602532/

Change-Id: Ia3a5f10abd88f7e20b3594ccde68d03535ef60cf
Smruti Soumitra Khuntia 6 months ago
parent
commit
1e43bdcbc6

+ 31
- 0
deployment_files/global/v1.0demo/baremetal/bootactions/seccomp-profiles.yaml View File

@@ -0,0 +1,31 @@
1
+---
2
+schema: 'drydock/BootAction/v1'
3
+metadata:
4
+  schema: 'metadata/Document/v1'
5
+  name: seccomp-profiles
6
+  storagePolicy: 'cleartext'
7
+  layeringDefinition:
8
+    abstract: false
9
+    layer: global
10
+  substitutions:
11
+    - src:
12
+        schema: pegleg/SeccompProfile/v1
13
+        name: seccomp-default
14
+        path: .savePath
15
+      dest:
16
+        path: .assets[0].path
17
+    - src:
18
+        schema: pegleg/SeccompProfile/v1
19
+        name: seccomp-default
20
+        path: .content
21
+      dest:
22
+        path: .assets[0].data
23
+
24
+data:
25
+  signaling: false
26
+  assets:
27
+    - type: file
28
+      permissions: '600'
29
+      data_pipeline:
30
+        - utf8_decode
31
+...

+ 787
- 0
deployment_files/global/v1.0demo/profiles/security/seccomp_default.yaml View File

@@ -0,0 +1,787 @@
1
+---
2
+# The data content of this file is referred from the Moby project as
3
+# mentioned in the link below:
4
+# https://github.com/moby/moby/blob/master/profiles/seccomp/default.json
5
+schema: 'pegleg/SeccompProfile/v1'
6
+metadata:
7
+  schema: 'metadata/Document/v1'
8
+  name: seccomp-default
9
+  storagePolicy: 'cleartext'
10
+  layeringDefinition:
11
+    abstract: false
12
+    layer: global
13
+data:
14
+  # Path for seccomp profile root directory.
15
+  seccompDirPath: /var/lib/kubelet/seccomp
16
+  # Path to save seccomp profile as file.
17
+  # This should be same as seccompDirPath with file name.
18
+  savePath: /var/lib/kubelet/seccomp/seccomp_default
19
+  # Content of default seccomp profile file.
20
+  content: |
21
+    {
22
+        "defaultAction": "SCMP_ACT_ERRNO",
23
+        "archMap": [
24
+            {
25
+                "architecture": "SCMP_ARCH_X86_64",
26
+                "subArchitectures": [
27
+                    "SCMP_ARCH_X86",
28
+                    "SCMP_ARCH_X32"
29
+                ]
30
+            },
31
+            {
32
+                "architecture": "SCMP_ARCH_AARCH64",
33
+                "subArchitectures": [
34
+                    "SCMP_ARCH_ARM"
35
+                ]
36
+            },
37
+            {
38
+                "architecture": "SCMP_ARCH_MIPS64",
39
+                "subArchitectures": [
40
+                    "SCMP_ARCH_MIPS",
41
+                    "SCMP_ARCH_MIPS64N32"
42
+                ]
43
+            },
44
+            {
45
+                "architecture": "SCMP_ARCH_MIPS64N32",
46
+                "subArchitectures": [
47
+                    "SCMP_ARCH_MIPS",
48
+                    "SCMP_ARCH_MIPS64"
49
+                ]
50
+            },
51
+            {
52
+                "architecture": "SCMP_ARCH_MIPSEL64",
53
+                "subArchitectures": [
54
+                    "SCMP_ARCH_MIPSEL",
55
+                    "SCMP_ARCH_MIPSEL64N32"
56
+                ]
57
+            },
58
+            {
59
+                "architecture": "SCMP_ARCH_MIPSEL64N32",
60
+                "subArchitectures": [
61
+                    "SCMP_ARCH_MIPSEL",
62
+                    "SCMP_ARCH_MIPSEL64"
63
+                ]
64
+            },
65
+            {
66
+                "architecture": "SCMP_ARCH_S390X",
67
+                "subArchitectures": [
68
+                    "SCMP_ARCH_S390"
69
+                ]
70
+            }
71
+        ],
72
+        "syscalls": [
73
+            {
74
+                "names": [
75
+                    "accept",
76
+                    "accept4",
77
+                    "access",
78
+                    "adjtimex",
79
+                    "alarm",
80
+                    "bind",
81
+                    "brk",
82
+                    "capget",
83
+                    "capset",
84
+                    "chdir",
85
+                    "chmod",
86
+                    "chown",
87
+                    "chown32",
88
+                    "clock_getres",
89
+                    "clock_gettime",
90
+                    "clock_nanosleep",
91
+                    "close",
92
+                    "connect",
93
+                    "copy_file_range",
94
+                    "creat",
95
+                    "dup",
96
+                    "dup2",
97
+                    "dup3",
98
+                    "epoll_create",
99
+                    "epoll_create1",
100
+                    "epoll_ctl",
101
+                    "epoll_ctl_old",
102
+                    "epoll_pwait",
103
+                    "epoll_wait",
104
+                    "epoll_wait_old",
105
+                    "eventfd",
106
+                    "eventfd2",
107
+                    "execve",
108
+                    "execveat",
109
+                    "exit",
110
+                    "exit_group",
111
+                    "faccessat",
112
+                    "fadvise64",
113
+                    "fadvise64_64",
114
+                    "fallocate",
115
+                    "fanotify_mark",
116
+                    "fchdir",
117
+                    "fchmod",
118
+                    "fchmodat",
119
+                    "fchown",
120
+                    "fchown32",
121
+                    "fchownat",
122
+                    "fcntl",
123
+                    "fcntl64",
124
+                    "fdatasync",
125
+                    "fgetxattr",
126
+                    "flistxattr",
127
+                    "flock",
128
+                    "fork",
129
+                    "fremovexattr",
130
+                    "fsetxattr",
131
+                    "fstat",
132
+                    "fstat64",
133
+                    "fstatat64",
134
+                    "fstatfs",
135
+                    "fstatfs64",
136
+                    "fsync",
137
+                    "ftruncate",
138
+                    "ftruncate64",
139
+                    "futex",
140
+                    "futimesat",
141
+                    "getcpu",
142
+                    "getcwd",
143
+                    "getdents",
144
+                    "getdents64",
145
+                    "getegid",
146
+                    "getegid32",
147
+                    "geteuid",
148
+                    "geteuid32",
149
+                    "getgid",
150
+                    "getgid32",
151
+                    "getgroups",
152
+                    "getgroups32",
153
+                    "getitimer",
154
+                    "getpeername",
155
+                    "getpgid",
156
+                    "getpgrp",
157
+                    "getpid",
158
+                    "getppid",
159
+                    "getpriority",
160
+                    "getrandom",
161
+                    "getresgid",
162
+                    "getresgid32",
163
+                    "getresuid",
164
+                    "getresuid32",
165
+                    "getrlimit",
166
+                    "get_robust_list",
167
+                    "getrusage",
168
+                    "getsid",
169
+                    "getsockname",
170
+                    "getsockopt",
171
+                    "get_thread_area",
172
+                    "gettid",
173
+                    "gettimeofday",
174
+                    "getuid",
175
+                    "getuid32",
176
+                    "getxattr",
177
+                    "inotify_add_watch",
178
+                    "inotify_init",
179
+                    "inotify_init1",
180
+                    "inotify_rm_watch",
181
+                    "io_cancel",
182
+                    "ioctl",
183
+                    "io_destroy",
184
+                    "io_getevents",
185
+                    "ioprio_get",
186
+                    "ioprio_set",
187
+                    "io_setup",
188
+                    "io_submit",
189
+                    "ipc",
190
+                    "kill",
191
+                    "lchown",
192
+                    "lchown32",
193
+                    "lgetxattr",
194
+                    "link",
195
+                    "linkat",
196
+                    "listen",
197
+                    "listxattr",
198
+                    "llistxattr",
199
+                    "_llseek",
200
+                    "lremovexattr",
201
+                    "lseek",
202
+                    "lsetxattr",
203
+                    "lstat",
204
+                    "lstat64",
205
+                    "madvise",
206
+                    "memfd_create",
207
+                    "mincore",
208
+                    "mkdir",
209
+                    "mkdirat",
210
+                    "mknod",
211
+                    "mknodat",
212
+                    "mlock",
213
+                    "mlock2",
214
+                    "mlockall",
215
+                    "mmap",
216
+                    "mmap2",
217
+                    "mprotect",
218
+                    "mq_getsetattr",
219
+                    "mq_notify",
220
+                    "mq_open",
221
+                    "mq_timedreceive",
222
+                    "mq_timedsend",
223
+                    "mq_unlink",
224
+                    "mremap",
225
+                    "msgctl",
226
+                    "msgget",
227
+                    "msgrcv",
228
+                    "msgsnd",
229
+                    "msync",
230
+                    "munlock",
231
+                    "munlockall",
232
+                    "munmap",
233
+                    "nanosleep",
234
+                    "newfstatat",
235
+                    "_newselect",
236
+                    "open",
237
+                    "openat",
238
+                    "pause",
239
+                    "pipe",
240
+                    "pipe2",
241
+                    "poll",
242
+                    "ppoll",
243
+                    "prctl",
244
+                    "pread64",
245
+                    "preadv",
246
+                    "preadv2",
247
+                    "prlimit64",
248
+                    "pselect6",
249
+                    "pwrite64",
250
+                    "pwritev",
251
+                    "pwritev2",
252
+                    "read",
253
+                    "readahead",
254
+                    "readlink",
255
+                    "readlinkat",
256
+                    "readv",
257
+                    "recv",
258
+                    "recvfrom",
259
+                    "recvmmsg",
260
+                    "recvmsg",
261
+                    "remap_file_pages",
262
+                    "removexattr",
263
+                    "rename",
264
+                    "renameat",
265
+                    "renameat2",
266
+                    "restart_syscall",
267
+                    "rmdir",
268
+                    "rt_sigaction",
269
+                    "rt_sigpending",
270
+                    "rt_sigprocmask",
271
+                    "rt_sigqueueinfo",
272
+                    "rt_sigreturn",
273
+                    "rt_sigsuspend",
274
+                    "rt_sigtimedwait",
275
+                    "rt_tgsigqueueinfo",
276
+                    "sched_getaffinity",
277
+                    "sched_getattr",
278
+                    "sched_getparam",
279
+                    "sched_get_priority_max",
280
+                    "sched_get_priority_min",
281
+                    "sched_getscheduler",
282
+                    "sched_rr_get_interval",
283
+                    "sched_setaffinity",
284
+                    "sched_setattr",
285
+                    "sched_setparam",
286
+                    "sched_setscheduler",
287
+                    "sched_yield",
288
+                    "seccomp",
289
+                    "select",
290
+                    "semctl",
291
+                    "semget",
292
+                    "semop",
293
+                    "semtimedop",
294
+                    "send",
295
+                    "sendfile",
296
+                    "sendfile64",
297
+                    "sendmmsg",
298
+                    "sendmsg",
299
+                    "sendto",
300
+                    "setfsgid",
301
+                    "setfsgid32",
302
+                    "setfsuid",
303
+                    "setfsuid32",
304
+                    "setgid",
305
+                    "setgid32",
306
+                    "setgroups",
307
+                    "setgroups32",
308
+                    "setitimer",
309
+                    "setpgid",
310
+                    "setpriority",
311
+                    "setregid",
312
+                    "setregid32",
313
+                    "setresgid",
314
+                    "setresgid32",
315
+                    "setresuid",
316
+                    "setresuid32",
317
+                    "setreuid",
318
+                    "setreuid32",
319
+                    "setrlimit",
320
+                    "set_robust_list",
321
+                    "setsid",
322
+                    "setsockopt",
323
+                    "set_thread_area",
324
+                    "set_tid_address",
325
+                    "setuid",
326
+                    "setuid32",
327
+                    "setxattr",
328
+                    "shmat",
329
+                    "shmctl",
330
+                    "shmdt",
331
+                    "shmget",
332
+                    "shutdown",
333
+                    "sigaltstack",
334
+                    "signalfd",
335
+                    "signalfd4",
336
+                    "sigreturn",
337
+                    "socket",
338
+                    "socketcall",
339
+                    "socketpair",
340
+                    "splice",
341
+                    "stat",
342
+                    "stat64",
343
+                    "statfs",
344
+                    "statfs64",
345
+                    "statx",
346
+                    "symlink",
347
+                    "symlinkat",
348
+                    "sync",
349
+                    "sync_file_range",
350
+                    "syncfs",
351
+                    "sysinfo",
352
+                    "syslog",
353
+                    "tee",
354
+                    "tgkill",
355
+                    "time",
356
+                    "timer_create",
357
+                    "timer_delete",
358
+                    "timerfd_create",
359
+                    "timerfd_gettime",
360
+                    "timerfd_settime",
361
+                    "timer_getoverrun",
362
+                    "timer_gettime",
363
+                    "timer_settime",
364
+                    "times",
365
+                    "tkill",
366
+                    "truncate",
367
+                    "truncate64",
368
+                    "ugetrlimit",
369
+                    "umask",
370
+                    "uname",
371
+                    "unlink",
372
+                    "unlinkat",
373
+                    "utime",
374
+                    "utimensat",
375
+                    "utimes",
376
+                    "vfork",
377
+                    "vmsplice",
378
+                    "wait4",
379
+                    "waitid",
380
+                    "waitpid",
381
+                    "write",
382
+                    "writev"
383
+                ],
384
+                "action": "SCMP_ACT_ALLOW",
385
+                "args": [],
386
+                "comment": "",
387
+                "includes": {},
388
+                "excludes": {}
389
+            },
390
+            {
391
+                "names": [
392
+                    "personality"
393
+                ],
394
+                "action": "SCMP_ACT_ALLOW",
395
+                "args": [
396
+                    {
397
+                        "index": 0,
398
+                        "value": 0,
399
+                        "valueTwo": 0,
400
+                        "op": "SCMP_CMP_EQ"
401
+                    }
402
+                ],
403
+                "comment": "",
404
+                "includes": {},
405
+                "excludes": {}
406
+            },
407
+            {
408
+                "names": [
409
+                    "personality"
410
+                ],
411
+                "action": "SCMP_ACT_ALLOW",
412
+                "args": [
413
+                    {
414
+                        "index": 0,
415
+                        "value": 8,
416
+                        "valueTwo": 0,
417
+                        "op": "SCMP_CMP_EQ"
418
+                    }
419
+                ],
420
+                "comment": "",
421
+                "includes": {},
422
+                "excludes": {}
423
+            },
424
+            {
425
+                "names": [
426
+                    "personality"
427
+                ],
428
+                "action": "SCMP_ACT_ALLOW",
429
+                "args": [
430
+                    {
431
+                        "index": 0,
432
+                        "value": 131072,
433
+                        "valueTwo": 0,
434
+                        "op": "SCMP_CMP_EQ"
435
+                    }
436
+                ],
437
+                "comment": "",
438
+                "includes": {},
439
+                "excludes": {}
440
+            },
441
+            {
442
+                "names": [
443
+                    "personality"
444
+                ],
445
+                "action": "SCMP_ACT_ALLOW",
446
+                "args": [
447
+                    {
448
+                        "index": 0,
449
+                        "value": 131080,
450
+                        "valueTwo": 0,
451
+                        "op": "SCMP_CMP_EQ"
452
+                    }
453
+                ],
454
+                "comment": "",
455
+                "includes": {},
456
+                "excludes": {}
457
+            },
458
+            {
459
+                "names": [
460
+                    "personality"
461
+                ],
462
+                "action": "SCMP_ACT_ALLOW",
463
+                "args": [
464
+                    {
465
+                        "index": 0,
466
+                        "value": 4294967295,
467
+                        "valueTwo": 0,
468
+                        "op": "SCMP_CMP_EQ"
469
+                    }
470
+                ],
471
+                "comment": "",
472
+                "includes": {},
473
+                "excludes": {}
474
+            },
475
+            {
476
+                "names": [
477
+                    "sync_file_range2"
478
+                ],
479
+                "action": "SCMP_ACT_ALLOW",
480
+                "args": [],
481
+                "comment": "",
482
+                "includes": {
483
+                    "arches": [
484
+                        "ppc64le"
485
+                    ]
486
+                },
487
+                "excludes": {}
488
+            },
489
+            {
490
+                "names": [
491
+                    "arm_fadvise64_64",
492
+                    "arm_sync_file_range",
493
+                    "sync_file_range2",
494
+                    "breakpoint",
495
+                    "cacheflush",
496
+                    "set_tls"
497
+                ],
498
+                "action": "SCMP_ACT_ALLOW",
499
+                "args": [],
500
+                "comment": "",
501
+                "includes": {
502
+                    "arches": [
503
+                        "arm",
504
+                        "arm64"
505
+                    ]
506
+                },
507
+                "excludes": {}
508
+            },
509
+            {
510
+                "names": [
511
+                    "arch_prctl"
512
+                ],
513
+                "action": "SCMP_ACT_ALLOW",
514
+                "args": [],
515
+                "comment": "",
516
+                "includes": {
517
+                    "arches": [
518
+                        "amd64",
519
+                        "x32"
520
+                    ]
521
+                },
522
+                "excludes": {}
523
+            },
524
+            {
525
+                "names": [
526
+                    "modify_ldt"
527
+                ],
528
+                "action": "SCMP_ACT_ALLOW",
529
+                "args": [],
530
+                "comment": "",
531
+                "includes": {
532
+                    "arches": [
533
+                        "amd64",
534
+                        "x32",
535
+                        "x86"
536
+                    ]
537
+                },
538
+                "excludes": {}
539
+            },
540
+            {
541
+                "names": [
542
+                    "s390_pci_mmio_read",
543
+                    "s390_pci_mmio_write",
544
+                    "s390_runtime_instr"
545
+                ],
546
+                "action": "SCMP_ACT_ALLOW",
547
+                "args": [],
548
+                "comment": "",
549
+                "includes": {
550
+                    "arches": [
551
+                        "s390",
552
+                        "s390x"
553
+                    ]
554
+                },
555
+                "excludes": {}
556
+            },
557
+            {
558
+                "names": [
559
+                    "open_by_handle_at"
560
+                ],
561
+                "action": "SCMP_ACT_ALLOW",
562
+                "args": [],
563
+                "comment": "",
564
+                "includes": {
565
+                    "caps": [
566
+                        "CAP_DAC_READ_SEARCH"
567
+                    ]
568
+                },
569
+                "excludes": {}
570
+            },
571
+            {
572
+                "names": [
573
+                    "bpf",
574
+                    "clone",
575
+                    "fanotify_init",
576
+                    "lookup_dcookie",
577
+                    "mount",
578
+                    "name_to_handle_at",
579
+                    "perf_event_open",
580
+                    "quotactl",
581
+                    "setdomainname",
582
+                    "sethostname",
583
+                    "setns",
584
+                    "umount",
585
+                    "umount2",
586
+                    "unshare"
587
+                ],
588
+                "action": "SCMP_ACT_ALLOW",
589
+                "args": [],
590
+                "comment": "",
591
+                "includes": {
592
+                    "caps": [
593
+                        "CAP_SYS_ADMIN"
594
+                    ]
595
+                },
596
+                "excludes": {}
597
+            },
598
+            {
599
+                "names": [
600
+                    "clone"
601
+                ],
602
+                "action": "SCMP_ACT_ALLOW",
603
+                "args": [
604
+                    {
605
+                        "index": 0,
606
+                        "value": 2080505856,
607
+                        "valueTwo": 0,
608
+                        "op": "SCMP_CMP_MASKED_EQ"
609
+                    }
610
+                ],
611
+                "comment": "",
612
+                "includes": {},
613
+                "excludes": {
614
+                    "caps": [
615
+                        "CAP_SYS_ADMIN"
616
+                    ],
617
+                    "arches": [
618
+                        "s390",
619
+                        "s390x"
620
+                    ]
621
+                }
622
+            },
623
+            {
624
+                "names": [
625
+                    "clone"
626
+                ],
627
+                "action": "SCMP_ACT_ALLOW",
628
+                "args": [
629
+                    {
630
+                        "index": 1,
631
+                        "value": 2080505856,
632
+                        "valueTwo": 0,
633
+                        "op": "SCMP_CMP_MASKED_EQ"
634
+                    }
635
+                ],
636
+                "comment": "s390 parameter ordering for clone is different",
637
+                "includes": {
638
+                    "arches": [
639
+                        "s390",
640
+                        "s390x"
641
+                    ]
642
+                },
643
+                "excludes": {
644
+                    "caps": [
645
+                        "CAP_SYS_ADMIN"
646
+                    ]
647
+                }
648
+            },
649
+            {
650
+                "names": [
651
+                    "reboot"
652
+                ],
653
+                "action": "SCMP_ACT_ALLOW",
654
+                "args": [],
655
+                "comment": "",
656
+                "includes": {
657
+                    "caps": [
658
+                        "CAP_SYS_BOOT"
659
+                    ]
660
+                },
661
+                "excludes": {}
662
+            },
663
+            {
664
+                "names": [
665
+                    "chroot"
666
+                ],
667
+                "action": "SCMP_ACT_ALLOW",
668
+                "args": [],
669
+                "comment": "",
670
+                "includes": {
671
+                    "caps": [
672
+                        "CAP_SYS_CHROOT"
673
+                    ]
674
+                },
675
+                "excludes": {}
676
+            },
677
+            {
678
+                "names": [
679
+                    "delete_module",
680
+                    "init_module",
681
+                    "finit_module",
682
+                    "query_module"
683
+                ],
684
+                "action": "SCMP_ACT_ALLOW",
685
+                "args": [],
686
+                "comment": "",
687
+                "includes": {
688
+                    "caps": [
689
+                        "CAP_SYS_MODULE"
690
+                    ]
691
+                },
692
+                "excludes": {}
693
+            },
694
+            {
695
+                "names": [
696
+                    "acct"
697
+                ],
698
+                "action": "SCMP_ACT_ALLOW",
699
+                "args": [],
700
+                "comment": "",
701
+                "includes": {
702
+                    "caps": [
703
+                        "CAP_SYS_PACCT"
704
+                    ]
705
+                },
706
+                "excludes": {}
707
+            },
708
+            {
709
+                "names": [
710
+                    "kcmp",
711
+                    "process_vm_readv",
712
+                    "process_vm_writev",
713
+                    "ptrace"
714
+                ],
715
+                "action": "SCMP_ACT_ALLOW",
716
+                "args": [],
717
+                "comment": "",
718
+                "includes": {
719
+                    "caps": [
720
+                        "CAP_SYS_PTRACE"
721
+                    ]
722
+                },
723
+                "excludes": {}
724
+            },
725
+            {
726
+                "names": [
727
+                    "iopl",
728
+                    "ioperm"
729
+                ],
730
+                "action": "SCMP_ACT_ALLOW",
731
+                "args": [],
732
+                "comment": "",
733
+                "includes": {
734
+                    "caps": [
735
+                        "CAP_SYS_RAWIO"
736
+                    ]
737
+                },
738
+                "excludes": {}
739
+            },
740
+            {
741
+                "names": [
742
+                    "settimeofday",
743
+                    "stime",
744
+                    "clock_settime"
745
+                ],
746
+                "action": "SCMP_ACT_ALLOW",
747
+                "args": [],
748
+                "comment": "",
749
+                "includes": {
750
+                    "caps": [
751
+                        "CAP_SYS_TIME"
752
+                    ]
753
+                },
754
+                "excludes": {}
755
+            },
756
+            {
757
+                "names": [
758
+                    "vhangup"
759
+                ],
760
+                "action": "SCMP_ACT_ALLOW",
761
+                "args": [],
762
+                "comment": "",
763
+                "includes": {
764
+                    "caps": [
765
+                        "CAP_SYS_TTY_CONFIG"
766
+                    ]
767
+                },
768
+                "excludes": {}
769
+            },
770
+            {
771
+                "names": [
772
+                    "get_mempolicy",
773
+                    "mbind",
774
+                    "set_mempolicy"
775
+                ],
776
+                "action": "SCMP_ACT_ALLOW",
777
+                "args": [],
778
+                "comment": "",
779
+                "includes": {
780
+                    "caps": [
781
+                        "CAP_SYS_NICE"
782
+                    ]
783
+                },
784
+                "excludes": {}
785
+            }
786
+        ]
787
+    }

+ 19
- 0
deployment_files/global/v1.0demo/schemas/pegleg/SeccompProfile/v1.yaml View File

@@ -0,0 +1,19 @@
1
+---
2
+schema: 'deckhand/DataSchema/v1'
3
+metadata:
4
+  schema: metadata/Control/v1
5
+  name: pegleg/SeccompProfile/v1
6
+  labels:
7
+    application: pegleg
8
+data:
9
+  $schema: 'http://json-schema.org/schema#'
10
+  type: 'object'
11
+  additionalProperties: false
12
+  properties:
13
+    seccompDirPath:
14
+      type: 'string'
15
+    savePath:
16
+      type: 'string'
17
+    content:
18
+      type: 'string'
19
+  required: ['seccompDirPath', 'savePath', 'content']

+ 8
- 0
deployment_files/global/v1.0demo/software/config/Kubelet.yaml View File

@@ -14,6 +14,13 @@ metadata:
14 14
         path: .images.kubernetes.pause
15 15
       dest:
16 16
         path: .images.pause
17
+    - src:
18
+        schema: pegleg/SeccompProfile/v1
19
+        name: seccomp-default
20
+        path: .seccompDirPath
21
+      dest:
22
+        path: .arguments[7]
23
+        pattern: SECCOMP_PROFILE_ROOT
17 24
 data:
18 25
   arguments:
19 26
     - --cni-bin-dir=/opt/cni/bin
@@ -23,3 +30,4 @@ data:
23 30
     - --node-status-update-frequency=5s
24 31
     - --serialize-image-pulls=false
25 32
     - --v=5
33
+    - --seccomp-profile-root=SECCOMP_PROFILE_ROOT

Loading…
Cancel
Save