Skip to content

Commit

Permalink
Add OCI baseprofile support
Browse files Browse the repository at this point in the history 
This allows using OCI artifacts as base profiles when the
baseProfileName is prefixed with `oci://`.

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
  • Loading branch information
@saschagrunert
saschagrunert committed Mar 28, 2023
1 parent 5e356ba commit ecfc5d1
Show file tree
Hide file tree
Showing 20 changed files with 449 additions and 44 deletions.
4 changes: 3 additions & 1 deletion api/seccompprofile/v1beta1/seccompprofile_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,9 @@ const ExtJSON = ".json"

// SeccompProfileSpec defines the desired state of SeccompProfile.
type SeccompProfileSpec struct {
// name of base profile (in the same namespace) what will be unioned into this profile
// BaseProfileName is the name of base profile (in the same namespace) that
// will be unioned into this profile. Base profiles can be references as
// remote OCI artifacts as well when prefixed with `oci://`.
BaseProfileName string `json:"baseProfileName,omitempty"`

// Properties from containers/common/pkg/seccomp.Seccomp type
Expand Down
15 changes: 14 additions & 1 deletion bundle/manifests/security-profiles-operator-profile_v1_configmap.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,12 @@ data:
security-profiles-operator.json: |
{
"defaultAction": "SCMP_ACT_ERRNO",
"architectures": ["SCMP_ARCH_X86_64", "SCMP_ARCH_X86", "SCMP_ARCH_X32", "SCMP_ARCH_AARCH64"],
"architectures": [
"SCMP_ARCH_X86_64",
"SCMP_ARCH_X86",
"SCMP_ARCH_X32",
"SCMP_ARCH_AARCH64"
],
"syscalls": [
{
"names": [
Expand All @@ -28,8 +33,10 @@ data:
"exit_group",
"fchown",
"fcntl",
"flock",
"fstat",
"fstatfs",
"fsync",
"futex",
"getcwd",
"getdents64",
Expand All @@ -47,6 +54,7 @@ data:
"inotify_add_watch",
"inotify_init1",
"listen",
"lseek",
"madvise",
"membarrier",
"mkdirat",
Expand All @@ -61,13 +69,18 @@ data:
"pipe2",
"prctl",
"pread64",
"prlimit64",
"read",
"readlink",
"readlinkat",
"renameat",
"rseq",
"rt_sigaction",
"rt_sigprocmask",
"rt_sigreturn",
"sched_getaffinity",
"sched_yield",
"seccomp",
"set_robust_list",
"set_tid_address",
"setgid",
Expand Down
6 changes: 4 additions & 2 deletions bundle/manifests/security-profiles-operator.x-k8s.io_seccompprofiles.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -77,8 +77,10 @@ spec:
type: string
type: array
baseProfileName:
description: name of base profile (in the same namespace) what will
be unioned into this profile
description: BaseProfileName is the name of base profile (in the same
namespace) that will be unioned into this profile. Base profiles
can be references as remote OCI artifacts as well when prefixed
with `oci://`.
type: string
defaultAction:
description: the default action for seccomp
Expand Down
6 changes: 4 additions & 2 deletions deploy/base-crds/crds/seccompprofile.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,8 +75,10 @@ spec:
type: string
type: array
baseProfileName:
description: name of base profile (in the same namespace) what will
be unioned into this profile
description: BaseProfileName is the name of base profile (in the same
namespace) that will be unioned into this profile. Base profiles
can be references as remote OCI artifacts as well when prefixed
with `oci://`.
type: string
defaultAction:
description: the default action for seccomp
Expand Down
15 changes: 14 additions & 1 deletion deploy/base/profiles/security-profiles-operator.json
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,11 @@
{
"defaultAction": "SCMP_ACT_ERRNO",
"architectures": ["SCMP_ARCH_X86_64", "SCMP_ARCH_X86", "SCMP_ARCH_X32", "SCMP_ARCH_AARCH64"],
"architectures": [
"SCMP_ARCH_X86_64",
"SCMP_ARCH_X86",
"SCMP_ARCH_X32",
"SCMP_ARCH_AARCH64"
],
"syscalls": [
{
"names": [
Expand All @@ -25,8 +30,10 @@
"exit_group",
"fchown",
"fcntl",
"flock",
"fstat",
"fstatfs",
"fsync",
"futex",
"getcwd",
"getdents64",
Expand All @@ -44,6 +51,7 @@
"inotify_add_watch",
"inotify_init1",
"listen",
"lseek",
"madvise",
"membarrier",
"mkdirat",
Expand All @@ -58,13 +66,18 @@
"pipe2",
"prctl",
"pread64",
"prlimit64",
"read",
"readlink",
"readlinkat",
"renameat",
"rseq",
"rt_sigaction",
"rt_sigprocmask",
"rt_sigreturn",
"sched_getaffinity",
"sched_yield",
"seccomp",
"set_robust_list",
"set_tid_address",
"setgid",
Expand Down
6 changes: 4 additions & 2 deletions deploy/helm/crds/crds.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -290,8 +290,10 @@ spec:
type: string
type: array
baseProfileName:
description: name of base profile (in the same namespace) what will
be unioned into this profile
description: BaseProfileName is the name of base profile (in the same
namespace) that will be unioned into this profile. Base profiles
can be references as remote OCI artifacts as well when prefixed
with `oci://`.
type: string
defaultAction:
description: the default action for seccomp
Expand Down
15 changes: 14 additions & 1 deletion deploy/helm/templates/static-resources.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -871,7 +871,12 @@ data:
security-profiles-operator.json: |
{
"defaultAction": "SCMP_ACT_ERRNO",
"architectures": ["SCMP_ARCH_X86_64", "SCMP_ARCH_X86", "SCMP_ARCH_X32", "SCMP_ARCH_AARCH64"],
"architectures": [
"SCMP_ARCH_X86_64",
"SCMP_ARCH_X86",
"SCMP_ARCH_X32",
"SCMP_ARCH_AARCH64"
],
"syscalls": [
{
"names": [
Expand All @@ -896,8 +901,10 @@ data:
"exit_group",
"fchown",
"fcntl",
"flock",
"fstat",
"fstatfs",
"fsync",
"futex",
"getcwd",
"getdents64",
Expand All @@ -915,6 +922,7 @@ data:
"inotify_add_watch",
"inotify_init1",
"listen",
"lseek",
"madvise",
"membarrier",
"mkdirat",
Expand All @@ -929,13 +937,18 @@ data:
"pipe2",
"prctl",
"pread64",
"prlimit64",
"read",
"readlink",
"readlinkat",
"renameat",
"rseq",
"rt_sigaction",
"rt_sigprocmask",
"rt_sigreturn",
"sched_getaffinity",
"sched_yield",
"seccomp",
"set_robust_list",
"set_tid_address",
"setgid",
Expand Down
21 changes: 18 additions & 3 deletions deploy/namespace-operator.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -290,8 +290,10 @@ spec:
type: string
type: array
baseProfileName:
description: name of base profile (in the same namespace) what will
be unioned into this profile
description: BaseProfileName is the name of base profile (in the same
namespace) that will be unioned into this profile. Base profiles
can be references as remote OCI artifacts as well when prefixed
with `oci://`.
type: string
defaultAction:
description: the default action for seccomp
Expand Down Expand Up @@ -2825,7 +2827,12 @@ data:
security-profiles-operator.json: |
{
"defaultAction": "SCMP_ACT_ERRNO",
"architectures": ["SCMP_ARCH_X86_64", "SCMP_ARCH_X86", "SCMP_ARCH_X32", "SCMP_ARCH_AARCH64"],
"architectures": [
"SCMP_ARCH_X86_64",
"SCMP_ARCH_X86",
"SCMP_ARCH_X32",
"SCMP_ARCH_AARCH64"
],
"syscalls": [
{
"names": [
Expand All @@ -2850,8 +2857,10 @@ data:
"exit_group",
"fchown",
"fcntl",
"flock",
"fstat",
"fstatfs",
"fsync",
"futex",
"getcwd",
"getdents64",
Expand All @@ -2869,6 +2878,7 @@ data:
"inotify_add_watch",
"inotify_init1",
"listen",
"lseek",
"madvise",
"membarrier",
"mkdirat",
Expand All @@ -2883,13 +2893,18 @@ data:
"pipe2",
"prctl",
"pread64",
"prlimit64",
"read",
"readlink",
"readlinkat",
"renameat",
"rseq",
"rt_sigaction",
"rt_sigprocmask",
"rt_sigreturn",
"sched_getaffinity",
"sched_yield",
"seccomp",
"set_robust_list",
"set_tid_address",
"setgid",
Expand Down
21 changes: 18 additions & 3 deletions deploy/openshift-dev.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -466,8 +466,10 @@ spec:
type: string
type: array
baseProfileName:
description: name of base profile (in the same namespace) what will
be unioned into this profile
description: BaseProfileName is the name of base profile (in the same
namespace) that will be unioned into this profile. Base profiles
can be references as remote OCI artifacts as well when prefixed
with `oci://`.
type: string
defaultAction:
description: the default action for seccomp
Expand Down Expand Up @@ -2807,7 +2809,12 @@ data:
security-profiles-operator.json: |
{
"defaultAction": "SCMP_ACT_ERRNO",
"architectures": ["SCMP_ARCH_X86_64", "SCMP_ARCH_X86", "SCMP_ARCH_X32", "SCMP_ARCH_AARCH64"],
"architectures": [
"SCMP_ARCH_X86_64",
"SCMP_ARCH_X86",
"SCMP_ARCH_X32",
"SCMP_ARCH_AARCH64"
],
"syscalls": [
{
"names": [
Expand All @@ -2832,8 +2839,10 @@ data:
"exit_group",
"fchown",
"fcntl",
"flock",
"fstat",
"fstatfs",
"fsync",
"futex",
"getcwd",
"getdents64",
Expand All @@ -2851,6 +2860,7 @@ data:
"inotify_add_watch",
"inotify_init1",
"listen",
"lseek",
"madvise",
"membarrier",
"mkdirat",
Expand All @@ -2865,13 +2875,18 @@ data:
"pipe2",
"prctl",
"pread64",
"prlimit64",
"read",
"readlink",
"readlinkat",
"renameat",
"rseq",
"rt_sigaction",
"rt_sigprocmask",
"rt_sigreturn",
"sched_getaffinity",
"sched_yield",
"seccomp",
"set_robust_list",
"set_tid_address",
"setgid",
Expand Down
21 changes: 18 additions & 3 deletions deploy/openshift-downstream.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -290,8 +290,10 @@ spec:
type: string
type: array
baseProfileName:
description: name of base profile (in the same namespace) what will
be unioned into this profile
description: BaseProfileName is the name of base profile (in the same
namespace) that will be unioned into this profile. Base profiles
can be references as remote OCI artifacts as well when prefixed
with `oci://`.
type: string
defaultAction:
description: the default action for seccomp
Expand Down Expand Up @@ -2838,7 +2840,12 @@ data:
security-profiles-operator.json: |
{
"defaultAction": "SCMP_ACT_ERRNO",
"architectures": ["SCMP_ARCH_X86_64", "SCMP_ARCH_X86", "SCMP_ARCH_X32", "SCMP_ARCH_AARCH64"],
"architectures": [
"SCMP_ARCH_X86_64",
"SCMP_ARCH_X86",
"SCMP_ARCH_X32",
"SCMP_ARCH_AARCH64"
],
"syscalls": [
{
"names": [
Expand All @@ -2863,8 +2870,10 @@ data:
"exit_group",
"fchown",
"fcntl",
"flock",
"fstat",
"fstatfs",
"fsync",
"futex",
"getcwd",
"getdents64",
Expand All @@ -2882,6 +2891,7 @@ data:
"inotify_add_watch",
"inotify_init1",
"listen",
"lseek",
"madvise",
"membarrier",
"mkdirat",
Expand All @@ -2896,13 +2906,18 @@ data:
"pipe2",
"prctl",
"pread64",
"prlimit64",
"read",
"readlink",
"readlinkat",
"renameat",
"rseq",
"rt_sigaction",
"rt_sigprocmask",
"rt_sigreturn",
"sched_getaffinity",
"sched_yield",
"seccomp",
"set_robust_list",
"set_tid_address",
"setgid",
Expand Down
Loading

0 comments on commit ecfc5d1

Please sign in to comment.