-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[TEST] SeccompProfile CRD: add new fields for seccomp notify #1
base: main
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@alban awesome, thanks for doing this!
LGTM. Just a simple comment of a flag that must not be added (it is confusing, and there are already mistakes done in the OCI seccomp flags).
But that should be trivial, from my POV feel free to fix that and just open the PR upstream
@@ -64,7 +68,7 @@ type SeccompProfileSpec struct { | |||
// +kubebuilder:validation:Enum=SCMP_ARCH_NATIVE;SCMP_ARCH_X86;SCMP_ARCH_X86_64;SCMP_ARCH_X32;SCMP_ARCH_ARM;SCMP_ARCH_AARCH64;SCMP_ARCH_MIPS;SCMP_ARCH_MIPS64;SCMP_ARCH_MIPS64N32;SCMP_ARCH_MIPSEL;SCMP_ARCH_MIPSEL64;SCMP_ARCH_MIPSEL64N32;SCMP_ARCH_PPC;SCMP_ARCH_PPC64;SCMP_ARCH_PPC64LE;SCMP_ARCH_S390;SCMP_ARCH_S390X;SCMP_ARCH_PARISC;SCMP_ARCH_PARISC64;SCMP_ARCH_RISCV64 | |||
type Arch string | |||
|
|||
// +kubebuilder:validation:Enum=SECCOMP_FILTER_FLAG_TSYNC;SECCOMP_FILTER_FLAG_LOG;SECCOMP_FILTER_FLAG_SPEC_ALLOW | |||
// +kubebuilder:validation:Enum=SECCOMP_FILTER_FLAG_TSYNC;SECCOMP_FILTER_FLAG_LOG;SECCOMP_FILTER_FLAG_SPEC_ALLOW;SECCOMP_FILTER_FLAG_NEW_LISTENER |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This shouldn't be added. See this PR: opencontainers/runtime-spec#1096
deploy/base/crds/seccompprofile.yaml
Outdated
@@ -97,8 +98,16 @@ spec: | |||
- SECCOMP_FILTER_FLAG_TSYNC | |||
- SECCOMP_FILTER_FLAG_LOG | |||
- SECCOMP_FILTER_FLAG_SPEC_ALLOW | |||
- SECCOMP_FILTER_FLAG_NEW_LISTENER |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
idem, please remove
deploy/namespace-operator.yaml
Outdated
@@ -308,8 +309,16 @@ spec: | |||
- SECCOMP_FILTER_FLAG_TSYNC | |||
- SECCOMP_FILTER_FLAG_LOG | |||
- SECCOMP_FILTER_FLAG_SPEC_ALLOW | |||
- SECCOMP_FILTER_FLAG_NEW_LISTENER |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
idem, remove
deploy/openshift-dev.yaml
Outdated
@@ -308,8 +309,16 @@ spec: | |||
- SECCOMP_FILTER_FLAG_TSYNC | |||
- SECCOMP_FILTER_FLAG_LOG | |||
- SECCOMP_FILTER_FLAG_SPEC_ALLOW | |||
- SECCOMP_FILTER_FLAG_NEW_LISTENER |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
idem
deploy/openshift.yaml
Outdated
@@ -308,8 +309,16 @@ spec: | |||
- SECCOMP_FILTER_FLAG_TSYNC | |||
- SECCOMP_FILTER_FLAG_LOG | |||
- SECCOMP_FILTER_FLAG_SPEC_ALLOW | |||
- SECCOMP_FILTER_FLAG_NEW_LISTENER |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
idem
deploy/operator.yaml
Outdated
@@ -308,8 +309,16 @@ spec: | |||
- SECCOMP_FILTER_FLAG_TSYNC | |||
- SECCOMP_FILTER_FLAG_LOG | |||
- SECCOMP_FILTER_FLAG_SPEC_ALLOW | |||
- SECCOMP_FILTER_FLAG_NEW_LISTENER |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
idem
b27da39
to
294bb86
Compare
Seccomp notify is a new feature in container runtimes introduced by - https://github.com/opencontainers/runtime-spec PR 1074 - https://github.com/opencontainers/runc PR 2682 (available in runc 1.1.0) This patch adds: - The new seccomp action SCMP_ACT_NOTIFY to defer the decision to a seccomp agent - The ListenerPath and ListenerMetadata fields so the runtime can contact the seccomp agent. Note that the flag SECCOMP_FILTER_FLAG_NEW_LISTENER is not added. See https://github.com/opencontainers/runtime-spec PR 1096 for details.
Seccomp notify is a new feature in container runtimes introduced by
This patch adds:
seccomp agent
contact the seccomp agent.
Note that the flag SECCOMP_FILTER_FLAG_NEW_LISTENER is not added. See
https://github.com/opencontainers/runtime-spec PR 1096 for details.
What type of PR is this?
What this PR does / why we need it:
Which issue(s) this PR fixes:
Does this PR have test?
Special notes for your reviewer:
Does this PR introduce a user-facing change?