Make the kubelet root directory configurable

api/seccompprofile/v1beta1/seccompprofile_types.go

@@ -149,7 +149,7 @@ func (sp *SeccompProfile) DeepCopyToStatusBaseIf() profilebase.StatusBaseUser {
 
 func (sp *SeccompProfile) SetImplementationStatus() {
 	profilePath := sp.GetProfilePath()
-	sp.Status.LocalhostProfile = strings.TrimPrefix(profilePath, config.KubeletSeccompRootPath+"/")
+	sp.Status.LocalhostProfile = strings.TrimPrefix(profilePath, config.KubeletSeccompRootPath()+"/")
 }
 
 func (sp *SeccompProfile) GetProfileFile() string {
@@ -163,7 +163,7 @@ func (sp *SeccompProfile) GetProfileFile() string {
 func (sp *SeccompProfile) GetProfilePath() string {
 	pfile := sp.GetProfileFile()
 	return path.Join(
-		config.ProfilesRootPath,
+		config.ProfilesRootPath(),
 		filepath.Base(sp.GetNamespace()),
 		filepath.Base(pfile),
 	)

bundle/manifests/security-profiles-operator.clusterserviceversion.yaml

@@ -860,6 +860,8 @@ spec:
                   valueFrom:
                     fieldRef:
                       fieldPath: spec.nodeName
+                - name: KUBELET_DIR
+                  value: /var/lib/kubelet
                 image: gcr.io/k8s-staging-sp-operator/security-profiles-operator:latest
                 imagePullPolicy: Always
                 name: security-profiles-operator

deploy/kustomize-deployment/manager_deployment.yaml

@@ -51,6 +51,8 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: spec.nodeName
+            - name: KUBELET_DIR
+              value: "/var/lib/kubelet"
       tolerations:
         - key: "node-role.kubernetes.io/master"
           operator: "Exists"

deploy/namespace-operator.yaml

@@ -2983,6 +2983,8 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: spec.nodeName
+        - name: KUBELET_DIR
+          value: /var/lib/kubelet
         image: gcr.io/k8s-staging-sp-operator/security-profiles-operator:latest
         imagePullPolicy: Always
         name: security-profiles-operator

deploy/openshift-dev.yaml

@@ -2981,6 +2981,8 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: spec.nodeName
+        - name: KUBELET_DIR
+          value: /var/lib/kubelet
         image: image-registry.openshift-image-registry.svc:5000/openshift/security-profiles-operator:latest
         imagePullPolicy: Always
         name: security-profiles-operator

deploy/openshift-downstream.yaml

@@ -2994,6 +2994,8 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: spec.nodeName
+        - name: KUBELET_DIR
+          value: /var/lib/kubelet
         image: gcr.io/k8s-staging-sp-operator/security-profiles-operator:latest
         imagePullPolicy: Always
         name: security-profiles-operator

deploy/operator.yaml

@@ -2981,6 +2981,8 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: spec.nodeName
+        - name: KUBELET_DIR
+          value: /var/lib/kubelet
         image: gcr.io/k8s-staging-sp-operator/security-profiles-operator:latest
         imagePullPolicy: Always
         name: security-profiles-operator

deploy/webhook-operator.yaml

@@ -2981,6 +2981,8 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: spec.nodeName
+        - name: KUBELET_DIR
+          value: /var/lib/kubelet
         image: gcr.io/k8s-staging-sp-operator/security-profiles-operator:latest
         imagePullPolicy: Always
         name: security-profiles-operator

installation-usage.md

@@ -10,6 +10,7 @@
   - [Installation using OLM using upstream catalog and bundle](#installation-using-olm-using-upstream-catalog-and-bundle)
   - [Installation using helm](#installation-using-helm)
   - [Installation on AKS](#installation-on-aks)
+- [Configure a custom kubelet root directory](#configure-a-custom-kubelet-root-directory)
 - [Set logging verbosity](#set-logging-verbosity)
 - [Pull images from private registry](#pull-images-from-private-registry)
 - [Configure the SELinux type](#configure-the-selinux-type)
@@ -189,6 +190,12 @@ NAME   STATE
 spod   RUNNING
 ```
 
+## Configure a custom kubelet root directory
+
+You can configure a custom kubelet root directory in case your cluster is not using the default `/var/lib/kubelet` path.
+You can achieve this by setting the environment variable `KUBELET_DIR` in the operator deployment. This environment variable will
+be then set in the manager container as well as it will be propagated into the containers part of spod daemonset.
+
 ## Set logging verbosity
 
 The operator supports the default logging verbosity of `0` and an enhanced `1`.

internal/pkg/config/config.go

@@ -19,6 +19,7 @@ package config
 import (
 	"errors"
 	"os"
+	"path"
 	"path/filepath"
 
 	"sigs.k8s.io/release-utils/env"
@@ -44,13 +45,8 @@ const (
 	// UserRootless is the user which runs the operator.
 	UserRootless = 65535
 
-	// KubeletSeccompRootPath specifies the path where all kubelet seccomp
-	// profiles are stored.
-	KubeletSeccompRootPath = "/var/lib/kubelet/seccomp"
-
-	// ProfilesRootPath specifies the path where the operator stores seccomp
-	// profiles.
-	ProfilesRootPath = KubeletSeccompRootPath + "/operator"
+	// DefaultKubeletPath specifies the default kubelet path.
+	DefaultKubeletPath = "/var/lib/kubelet"
 
 	// NodeNameEnvKey is the default environment variable key for retrieving
 	// the name of the current node.
@@ -84,6 +80,9 @@ const (
 	// profiling port.
 	ProfilingPortEnvKey = "SPO_PROFILING_PORT"
 
+	// KubeletDirEnvKey is the environment variable key for custom kubelet directory.
+	KubeletDirEnvKey = "KUBELET_DIR"
+
 	// DefaultProfilingPort is the start port where the profiling endpoint runs.
 	DefaultProfilingPort = 6060
 
@@ -155,3 +154,25 @@ func TryToGetOperatorNamespace() (string, error) {
 	}
 	return operatorNS, nil
 }
+
+// KubeletDir returns the kubelet directory either form an environment variable
+// when is set or the default Kubernetes path.
+func KubeletDir() string {
+	kubeletDir := env.Default(KubeletDirEnvKey, "")
+	if kubeletDir == "" {
+		return DefaultKubeletPath
+	}
+	return kubeletDir
+}
+
+// KubeletSeccompRootPath specifies the path where all kubelet seccomp
+// profiles are stored.
+func KubeletSeccompRootPath() string {
+	return path.Join(KubeletDir(), "seccomp")
+}
+
+// ProfilesRootPath specifies the path where the operator stores seccomp
+// profiles.
+func ProfilesRootPath() string {
+	return path.Join(KubeletSeccompRootPath(), "operator")
+}

internal/pkg/daemon/seccompprofile/seccompprofile_test.go

@@ -210,7 +210,7 @@ func TestGetProfilePath(t *testing.T) {
 	}{
 		{
 			name: "AppendNamespaceAndProfile",
-			want: path.Join(config.ProfilesRootPath, "config-namespace", "file.json"),
+			want: path.Join(config.ProfilesRootPath(), "config-namespace", "file.json"),
 			sp: &seccompprofileapi.SeccompProfile{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "file.json",
@@ -220,7 +220,7 @@ func TestGetProfilePath(t *testing.T) {
 		},
 		{
 			name: "BlockTraversalAtProfileName",
-			want: path.Join(config.ProfilesRootPath, "ns", "file.json"),
+			want: path.Join(config.ProfilesRootPath(), "ns", "file.json"),
 			sp: &seccompprofileapi.SeccompProfile{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "../../../../../file.json",
@@ -230,7 +230,7 @@ func TestGetProfilePath(t *testing.T) {
 		},
 		{
 			name: "BlockTraversalAtTargetName",
-			want: path.Join(config.ProfilesRootPath, "ns", "file.json"),
+			want: path.Join(config.ProfilesRootPath(), "ns", "file.json"),
 			sp: &seccompprofileapi.SeccompProfile{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "file.json",
@@ -240,7 +240,7 @@ func TestGetProfilePath(t *testing.T) {
 		},
 		{
 			name: "BlockTraversalAtSPNamespace",
-			want: path.Join(config.ProfilesRootPath, "ns", "file.json"),
+			want: path.Join(config.ProfilesRootPath(), "ns", "file.json"),
 			sp: &seccompprofileapi.SeccompProfile{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "file.json",
@@ -250,7 +250,7 @@ func TestGetProfilePath(t *testing.T) {
 		},
 		{
 			name: "AppendExtension",
-			want: path.Join(config.ProfilesRootPath, "config-namespace", "file.json"),
+			want: path.Join(config.ProfilesRootPath(), "config-namespace", "file.json"),
 			sp: &seccompprofileapi.SeccompProfile{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "file",

internal/pkg/manager/spod/bindata/spod.go

@@ -190,6 +190,12 @@ var Manifest = &appsv1.DaemonSet{
 								corev1.ResourceEphemeralStorage: resource.MustParse("50Mi"),
 							},
 						},
+						Env: []corev1.EnvVar{
+							{
+								Name:  config.KubeletDirEnvKey,
+								Value: config.KubeletDir(),
+							},
+						},
 					},
 					{
 						Name:  SelinuxPoliciesCopierContainerName,
@@ -266,6 +272,12 @@ semodule -i /opt/spo-profiles/selinuxrecording.cil
 								corev1.ResourceEphemeralStorage: resource.MustParse("50Mi"),
 							},
 						},
+						Env: []corev1.EnvVar{
+							{
+								Name:  config.KubeletDirEnvKey,
+								Value: config.KubeletDir(),
+							},
+						},
 					},
 				},
 				Containers: []corev1.Container{
@@ -276,7 +288,7 @@ semodule -i /opt/spo-profiles/selinuxrecording.cil
 						VolumeMounts: []corev1.VolumeMount{
 							{
 								Name:      "host-operator-volume",
-								MountPath: config.ProfilesRootPath,
+								MountPath: config.ProfilesRootPath(),
 							},
 							{
 								Name:      "selinux-drop-dir",
@@ -345,6 +357,10 @@ semodule -i /opt/spo-profiles/selinuxrecording.cil
 								Name:  config.SPOdNameEnvKey,
 								Value: config.SPOdName,
 							},
+							{
+								Name:  config.KubeletDirEnvKey,
+								Value: config.KubeletDir(),
+							},
 						},
 						Ports: []corev1.ContainerPort{
 							{
@@ -432,6 +448,12 @@ semodule -i /opt/spo-profiles/selinuxrecording.cil
 								corev1.ResourceEphemeralStorage: resource.MustParse("400Mi"),
 							},
 						},
+						Env: []corev1.EnvVar{
+							{
+								Name:  config.KubeletDirEnvKey,
+								Value: config.KubeletDir(),
+							},
+						},
 					},
 					{
 						Name:            LogEnricherContainerName,
@@ -483,6 +505,10 @@ semodule -i /opt/spo-profiles/selinuxrecording.cil
 									},
 								},
 							},
+							{
+								Name:  config.KubeletDirEnvKey,
+								Value: config.KubeletDir(),
+							},
 						},
 					},
 					{
@@ -538,6 +564,10 @@ semodule -i /opt/spo-profiles/selinuxrecording.cil
 									},
 								},
 							},
+							{
+								Name:  config.KubeletDirEnvKey,
+								Value: config.KubeletDir(),
+							},
 						},
 					},
 					{

internal/pkg/nonrootenabler/nonrootenabler.go

@@ -48,13 +48,13 @@ func (n *NonRootEnabler) Run(logger logr.Logger, runtime string) error {
 
 	logger.Info("Container runtime:" + runtime)
 
-	logger.Info("Ensuring seccomp root path: " + config.KubeletSeccompRootPath)
+	logger.Info("Ensuring seccomp root path: " + config.KubeletSeccompRootPath())
 	if err := n.impl.MkdirAll(
-		config.KubeletSeccompRootPath, dirPermissions,
+		config.KubeletSeccompRootPath(), dirPermissions,
 	); err != nil {
 		return fmt.Errorf(
 			"create seccomp root path %s: %w",
-			config.KubeletSeccompRootPath, err,
+			config.KubeletSeccompRootPath(), err,
 		)
 	}
 
@@ -64,7 +64,7 @@ func (n *NonRootEnabler) Run(logger logr.Logger, runtime string) error {
 	); err != nil {
 		return fmt.Errorf(
 			"create operator root path %s: %w",
-			config.KubeletSeccompRootPath, err,
+			config.KubeletSeccompRootPath(), err,
 		)
 	}
 
@@ -74,10 +74,10 @@ func (n *NonRootEnabler) Run(logger logr.Logger, runtime string) error {
 		return fmt.Errorf("change operator root path permissions: %w", err)
 	}
 
-	if _, err := n.impl.Stat(config.ProfilesRootPath); os.IsNotExist(err) {
+	if _, err := n.impl.Stat(config.ProfilesRootPath()); os.IsNotExist(err) {
 		logger.Info("Linking profiles root path")
 		if err := n.impl.Symlink(
-			config.OperatorRoot, config.ProfilesRootPath,
+			config.OperatorRoot, config.ProfilesRootPath(),
 		); err != nil {
 			return fmt.Errorf("link profiles root path: %w", err)
 		}
@@ -91,9 +91,9 @@ func (n *NonRootEnabler) Run(logger logr.Logger, runtime string) error {
 	}
 
 	kubeletSeccompRootPath := config.KubeletSeccompRootPath
-	logger.Info("Copying profiles into root path: " + kubeletSeccompRootPath)
+	logger.Info("Copying profiles into root path: " + kubeletSeccompRootPath())
 	if err := n.impl.CopyDirContentsLocal(
-		"/opt/spo-profiles", kubeletSeccompRootPath,
+		"/opt/spo-profiles", kubeletSeccompRootPath(),
 	); err != nil {
 		return fmt.Errorf("copy local security profiles: %w", err)
 	}

test/tc_allowed_syscalls_test.go

@@ -57,7 +57,7 @@ func (e *e2e) testCaseAllowedSyscallsValidation(nodes []string) {
 		// the dev container where the tests are executed. This check needs to be skipped.
 		if e.nodeRootfsPrefix == "" {
 			statOutput := e.execNode(
-				node, "stat", "-L", "-c", `%a,%u,%g`, config.ProfilesRootPath,
+				node, "stat", "-L", "-c", `%a,%u,%g`, config.ProfilesRootPath(),
 			)
 			e.Contains(statOutput, "744,65535,65535")
 

test/tc_default_profiles_test.go

@@ -44,7 +44,7 @@ func (e *e2e) testCaseDefaultAndExampleProfiles(nodes []string) {
 		// the dev container where the tests are executed. This check needs to be skipped.
 		if e.nodeRootfsPrefix == "" {
 			statOutput := e.execNode(
-				node, "stat", "-L", "-c", `%a,%u,%g`, config.ProfilesRootPath,
+				node, "stat", "-L", "-c", `%a,%u,%g`, config.ProfilesRootPath(),
 			)
 			e.Contains(statOutput, "744,65535,65535")