From add4301ed6dc3bdd80375e6f8abd85098a91d351 Mon Sep 17 00:00:00 2001 From: Akihiro Suda Date: Thu, 7 Apr 2022 17:23:42 +0900 Subject: [PATCH] kubernetes: replace deprecated seccomp annotations with securityContext Kubernetes added the official `securityContext.seccompProfile` support in Kubernetes 1.19. Seccomp is still disabled by default. The legacy `container.seccomp.security.alpha.kubernetes.io/` annotation has been deprecated and will be unsupported in Kubernetes 1.25. https://kubernetes.io/docs/tutorials/security/seccomp/ A test cluster can be created with the following minikube command: ``` minikube start --feature-gates SeccompDefault=true --extra-config kubelet.seccomp-default=true ``` Related to moby/buildkit PR 2782 Signed-off-by: Akihiro Suda --- docs/reference/buildx_create.md | 2 +- driver/kubernetes/manifest/manifest.go | 9 ++++++--- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/docs/reference/buildx_create.md b/docs/reference/buildx_create.md index a6c682d0..35400499 100644 --- a/docs/reference/buildx_create.md +++ b/docs/reference/buildx_create.md @@ -141,7 +141,7 @@ Passes additional driver-specific options. Details for each driver: - `limits.memory` - Sets the limit memory value specified in bytes or with a valid suffix. Example `limits.memory=500Mi`, `limits.memory=4G` - `nodeselector="label1=value1,label2=value2"` - Sets the kv of `Pod` nodeSelector. No Defaults. Example `nodeselector=kubernetes.io/arch=arm64` - `tolerations="key=foo,value=bar;key=foo2,operator=exists;key=foo3,effect=NoSchedule"` - Sets the `Pod` tolerations. Accepts the same values as the kube manifest tolerations. Key-value pairs are separated by `,`, tolerations are separated by `;`. No Defaults. Example `tolerations=operator=exists` - - `rootless=(true|false)` - Run the container as a non-root user without `securityContext.privileged`. [Using Ubuntu host kernel is recommended](https://github.com/moby/buildkit/blob/master/docs/rootless.md). Defaults to false. + - `rootless=(true|false)` - Run the container as a non-root user without `securityContext.privileged`. Needs Kubernetes 1.19 or later. [Using Ubuntu host kernel is recommended](https://github.com/moby/buildkit/blob/master/docs/rootless.md). Defaults to false. - `loadbalance=(sticky|random)` - Load-balancing strategy. If set to "sticky", the pod is chosen using the hash of the context path. Defaults to "sticky" - `qemu.install=(true|false)` - Install QEMU emulation for multi platforms support. - `qemu.image=IMAGE` - Sets the QEMU emulation image. Defaults to `tonistiigi/binfmt:latest` diff --git a/driver/kubernetes/manifest/manifest.go b/driver/kubernetes/manifest/manifest.go index 031b4965..1a9ebe5a 100644 --- a/driver/kubernetes/manifest/manifest.go +++ b/driver/kubernetes/manifest/manifest.go @@ -204,12 +204,15 @@ func toRootless(d *appsv1.Deployment) error { d.Spec.Template.Spec.Containers[0].Args, "--oci-worker-no-process-sandbox", ) - d.Spec.Template.Spec.Containers[0].SecurityContext = nil + d.Spec.Template.Spec.Containers[0].SecurityContext = &corev1.SecurityContext{ + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeUnconfined, + }, + } if d.Spec.Template.ObjectMeta.Annotations == nil { - d.Spec.Template.ObjectMeta.Annotations = make(map[string]string, 2) + d.Spec.Template.ObjectMeta.Annotations = make(map[string]string, 1) } d.Spec.Template.ObjectMeta.Annotations["container.apparmor.security.beta.kubernetes.io/"+containerName] = "unconfined" - d.Spec.Template.ObjectMeta.Annotations["container.seccomp.security.alpha.kubernetes.io/"+containerName] = "unconfined" return nil }