Skip to content

Commit

Permalink
Add OCI baseprofile support
Browse files Browse the repository at this point in the history 
This allows using OCI artifacts as base profiles when the
baseProfileName is prefixed with `oci://`.

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
  • Loading branch information
@saschagrunert @k8s-ci-robot
saschagrunert authored and k8s-ci-robot committed Mar 30, 2023
1 parent 1345a53 commit 1b0877d
Show file tree
Hide file tree
Showing 25 changed files with 1,271 additions and 50 deletions.
4 changes: 3 additions & 1 deletion api/seccompprofile/v1beta1/seccompprofile_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,9 @@ const ExtJSON = ".json"

// SeccompProfileSpec defines the desired state of SeccompProfile.
type SeccompProfileSpec struct {
// name of base profile (in the same namespace) what will be unioned into this profile
// BaseProfileName is the name of base profile (in the same namespace) that
// will be unioned into this profile. Base profiles can be references as
// remote OCI artifacts as well when prefixed with `oci://`.
BaseProfileName string `json:"baseProfileName,omitempty"`

// Properties from containers/common/pkg/seccomp.Seccomp type
Expand Down
14 changes: 13 additions & 1 deletion bundle/manifests/security-profiles-operator-profile_v1_configmap.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,12 @@ data:
security-profiles-operator.json: |
{
"defaultAction": "SCMP_ACT_ERRNO",
"architectures": ["SCMP_ARCH_X86_64", "SCMP_ARCH_X86", "SCMP_ARCH_X32", "SCMP_ARCH_AARCH64"],
"architectures": [
"SCMP_ARCH_X86_64",
"SCMP_ARCH_X86",
"SCMP_ARCH_X32",
"SCMP_ARCH_AARCH64"
],
"syscalls": [
{
"names": [
Expand All @@ -28,8 +33,10 @@ data:
"exit_group",
"fchown",
"fcntl",
"flock",
"fstat",
"fstatfs",
"fsync",
"futex",
"getcwd",
"getdents64",
Expand All @@ -47,6 +54,7 @@ data:
"inotify_add_watch",
"inotify_init1",
"listen",
"lseek",
"madvise",
"membarrier",
"mkdirat",
Expand All @@ -61,8 +69,12 @@ data:
"pipe2",
"prctl",
"pread64",
"prlimit64",
"read",
"readlink",
"readlinkat",
"renameat",
"rseq",
"rt_sigaction",
"rt_sigprocmask",
"rt_sigreturn",
Expand Down
6 changes: 4 additions & 2 deletions bundle/manifests/security-profiles-operator.x-k8s.io_seccompprofiles.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -77,8 +77,10 @@ spec:
type: string
type: array
baseProfileName:
description: name of base profile (in the same namespace) what will
be unioned into this profile
description: BaseProfileName is the name of base profile (in the same
namespace) that will be unioned into this profile. Base profiles
can be references as remote OCI artifacts as well when prefixed
with `oci://`.
type: string
defaultAction:
description: the default action for seccomp
Expand Down
6 changes: 4 additions & 2 deletions deploy/base-crds/crds/seccompprofile.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,8 +75,10 @@ spec:
type: string
type: array
baseProfileName:
description: name of base profile (in the same namespace) what will
be unioned into this profile
description: BaseProfileName is the name of base profile (in the same
namespace) that will be unioned into this profile. Base profiles
can be references as remote OCI artifacts as well when prefixed
with `oci://`.
type: string
defaultAction:
description: the default action for seccomp
Expand Down
14 changes: 13 additions & 1 deletion deploy/base/profiles/security-profiles-operator.json
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,11 @@
{
"defaultAction": "SCMP_ACT_ERRNO",
"architectures": ["SCMP_ARCH_X86_64", "SCMP_ARCH_X86", "SCMP_ARCH_X32", "SCMP_ARCH_AARCH64"],
"architectures": [
"SCMP_ARCH_X86_64",
"SCMP_ARCH_X86",
"SCMP_ARCH_X32",
"SCMP_ARCH_AARCH64"
],
"syscalls": [
{
"names": [
Expand All @@ -25,8 +30,10 @@
"exit_group",
"fchown",
"fcntl",
"flock",
"fstat",
"fstatfs",
"fsync",
"futex",
"getcwd",
"getdents64",
Expand All @@ -44,6 +51,7 @@
"inotify_add_watch",
"inotify_init1",
"listen",
"lseek",
"madvise",
"membarrier",
"mkdirat",
Expand All @@ -58,8 +66,12 @@
"pipe2",
"prctl",
"pread64",
"prlimit64",
"read",
"readlink",
"readlinkat",
"renameat",
"rseq",
"rt_sigaction",
"rt_sigprocmask",
"rt_sigreturn",
Expand Down
6 changes: 4 additions & 2 deletions deploy/helm/crds/crds.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -290,8 +290,10 @@ spec:
type: string
type: array
baseProfileName:
description: name of base profile (in the same namespace) what will
be unioned into this profile
description: BaseProfileName is the name of base profile (in the same
namespace) that will be unioned into this profile. Base profiles
can be references as remote OCI artifacts as well when prefixed
with `oci://`.
type: string
defaultAction:
description: the default action for seccomp
Expand Down
14 changes: 13 additions & 1 deletion deploy/helm/templates/static-resources.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -871,7 +871,12 @@ data:
security-profiles-operator.json: |
{
"defaultAction": "SCMP_ACT_ERRNO",
"architectures": ["SCMP_ARCH_X86_64", "SCMP_ARCH_X86", "SCMP_ARCH_X32", "SCMP_ARCH_AARCH64"],
"architectures": [
"SCMP_ARCH_X86_64",
"SCMP_ARCH_X86",
"SCMP_ARCH_X32",
"SCMP_ARCH_AARCH64"
],
"syscalls": [
{
"names": [
Expand All @@ -896,8 +901,10 @@ data:
"exit_group",
"fchown",
"fcntl",
"flock",
"fstat",
"fstatfs",
"fsync",
"futex",
"getcwd",
"getdents64",
Expand All @@ -915,6 +922,7 @@ data:
"inotify_add_watch",
"inotify_init1",
"listen",
"lseek",
"madvise",
"membarrier",
"mkdirat",
Expand All @@ -929,8 +937,12 @@ data:
"pipe2",
"prctl",
"pread64",
"prlimit64",
"read",
"readlink",
"readlinkat",
"renameat",
"rseq",
"rt_sigaction",
"rt_sigprocmask",
"rt_sigreturn",
Expand Down
20 changes: 17 additions & 3 deletions deploy/namespace-operator.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -290,8 +290,10 @@ spec:
type: string
type: array
baseProfileName:
description: name of base profile (in the same namespace) what will
be unioned into this profile
description: BaseProfileName is the name of base profile (in the same
namespace) that will be unioned into this profile. Base profiles
can be references as remote OCI artifacts as well when prefixed
with `oci://`.
type: string
defaultAction:
description: the default action for seccomp
Expand Down Expand Up @@ -2825,7 +2827,12 @@ data:
security-profiles-operator.json: |
{
"defaultAction": "SCMP_ACT_ERRNO",
"architectures": ["SCMP_ARCH_X86_64", "SCMP_ARCH_X86", "SCMP_ARCH_X32", "SCMP_ARCH_AARCH64"],
"architectures": [
"SCMP_ARCH_X86_64",
"SCMP_ARCH_X86",
"SCMP_ARCH_X32",
"SCMP_ARCH_AARCH64"
],
"syscalls": [
{
"names": [
Expand All @@ -2850,8 +2857,10 @@ data:
"exit_group",
"fchown",
"fcntl",
"flock",
"fstat",
"fstatfs",
"fsync",
"futex",
"getcwd",
"getdents64",
Expand All @@ -2869,6 +2878,7 @@ data:
"inotify_add_watch",
"inotify_init1",
"listen",
"lseek",
"madvise",
"membarrier",
"mkdirat",
Expand All @@ -2883,8 +2893,12 @@ data:
"pipe2",
"prctl",
"pread64",
"prlimit64",
"read",
"readlink",
"readlinkat",
"renameat",
"rseq",
"rt_sigaction",
"rt_sigprocmask",
"rt_sigreturn",
Expand Down
20 changes: 17 additions & 3 deletions deploy/openshift-dev.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -466,8 +466,10 @@ spec:
type: string
type: array
baseProfileName:
description: name of base profile (in the same namespace) what will
be unioned into this profile
description: BaseProfileName is the name of base profile (in the same
namespace) that will be unioned into this profile. Base profiles
can be references as remote OCI artifacts as well when prefixed
with `oci://`.
type: string
defaultAction:
description: the default action for seccomp
Expand Down Expand Up @@ -2807,7 +2809,12 @@ data:
security-profiles-operator.json: |
{
"defaultAction": "SCMP_ACT_ERRNO",
"architectures": ["SCMP_ARCH_X86_64", "SCMP_ARCH_X86", "SCMP_ARCH_X32", "SCMP_ARCH_AARCH64"],
"architectures": [
"SCMP_ARCH_X86_64",
"SCMP_ARCH_X86",
"SCMP_ARCH_X32",
"SCMP_ARCH_AARCH64"
],
"syscalls": [
{
"names": [
Expand All @@ -2832,8 +2839,10 @@ data:
"exit_group",
"fchown",
"fcntl",
"flock",
"fstat",
"fstatfs",
"fsync",
"futex",
"getcwd",
"getdents64",
Expand All @@ -2851,6 +2860,7 @@ data:
"inotify_add_watch",
"inotify_init1",
"listen",
"lseek",
"madvise",
"membarrier",
"mkdirat",
Expand All @@ -2865,8 +2875,12 @@ data:
"pipe2",
"prctl",
"pread64",
"prlimit64",
"read",
"readlink",
"readlinkat",
"renameat",
"rseq",
"rt_sigaction",
"rt_sigprocmask",
"rt_sigreturn",
Expand Down
20 changes: 17 additions & 3 deletions deploy/openshift-downstream.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -290,8 +290,10 @@ spec:
type: string
type: array
baseProfileName:
description: name of base profile (in the same namespace) what will
be unioned into this profile
description: BaseProfileName is the name of base profile (in the same
namespace) that will be unioned into this profile. Base profiles
can be references as remote OCI artifacts as well when prefixed
with `oci://`.
type: string
defaultAction:
description: the default action for seccomp
Expand Down Expand Up @@ -2838,7 +2840,12 @@ data:
security-profiles-operator.json: |
{
"defaultAction": "SCMP_ACT_ERRNO",
"architectures": ["SCMP_ARCH_X86_64", "SCMP_ARCH_X86", "SCMP_ARCH_X32", "SCMP_ARCH_AARCH64"],
"architectures": [
"SCMP_ARCH_X86_64",
"SCMP_ARCH_X86",
"SCMP_ARCH_X32",
"SCMP_ARCH_AARCH64"
],
"syscalls": [
{
"names": [
Expand All @@ -2863,8 +2870,10 @@ data:
"exit_group",
"fchown",
"fcntl",
"flock",
"fstat",
"fstatfs",
"fsync",
"futex",
"getcwd",
"getdents64",
Expand All @@ -2882,6 +2891,7 @@ data:
"inotify_add_watch",
"inotify_init1",
"listen",
"lseek",
"madvise",
"membarrier",
"mkdirat",
Expand All @@ -2896,8 +2906,12 @@ data:
"pipe2",
"prctl",
"pread64",
"prlimit64",
"read",
"readlink",
"readlinkat",
"renameat",
"rseq",
"rt_sigaction",
"rt_sigprocmask",
"rt_sigreturn",
Expand Down
Loading

0 comments on commit 1b0877d

Please sign in to comment.