Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Seccomp #135

Closed
22 tasks done
pweil- opened this issue Oct 25, 2016 · 156 comments
Closed
22 tasks done

Seccomp #135

pweil- opened this issue Oct 25, 2016 · 156 comments
Assignees
Labels
kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API kind/feature Categorizes issue or PR as related to a new feature. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/node Categorizes an issue or PR as relevant to SIG Node. stage/stable Denotes an issue tracking an enhancement targeted for Stable/GA status

Comments

@pweil-
Copy link

pweil- commented Oct 25, 2016

Description

Seccomp support is providing the ability to define seccomp profiles and configure pods to run with those profiles. This includes the ability control usage of the profiles via PSP as well as maintaining the ability to run as unconfined or with the default container runtime profile.

KEP: sig-node/20190717-seccomp-ga.md
Latest PR to update the KEP: #1747

Progress Tracker

FEATURE_STATUS is used for feature tracking and to be updated by @kubernetes/feature-reviewers.
FEATURE_STATUS: IN_DEVELOPMENT

More advice:

Design

  • Once you get LGTM from a @kubernetes/feature-reviewers member, you can check this checkbox, and the reviewer will apply the "design-complete" label.

Coding

  • Use as many PRs as you need. Write tests in the same or different PRs, as is convenient for you.
  • As each PR is merged, add a comment to this issue referencing the PRs. Code goes in the http://github.com/kubernetes/kubernetes repository,
    and sometimes http://github.com/kubernetes/contrib, or other repos.
  • When you are done with the code, apply the "code-complete" label.
  • When the feature has user docs, please add a comment mentioning @kubernetes/feature-reviewers and they will
    check that the code matches the proposed feature and design, and that everything is done, and that there is adequate
    testing. They won't do detailed code review: that already happened when your PRs were reviewed.
    When that is done, you can check this box and the reviewer will apply the "code-complete" label.

Docs

@pweil-
Copy link
Author

pweil- commented Oct 25, 2016

@derekwaynecarr @sttts @erictune didn't see an issue for this but it is already in alpha. Creating this as the reminder to push it through to beta and stable.

@sttts could you provide the appropriate links to docs and PRs? I think you are closest to this code.

@derekwaynecarr
Copy link
Member

derekwaynecarr commented Oct 25, 2016

@pweil- @sttts - per our discussion, this is a feature we would like to sponsor in Kubernetes 1.6 under @kubernetes/sig-node

@idvoretskyi
Copy link
Member

@pweil- @derekwaynecarr please, confirm that this feature has to be set with 1.6 milestone.

@sttts
Copy link
Contributor

sttts commented Oct 26, 2016

@idvoretskyi we target to move it to beta for 1.6.

@idvoretskyi idvoretskyi added this to the next-milestone milestone Oct 26, 2016
@idvoretskyi
Copy link
Member

@sttts thanks.

@idvoretskyi idvoretskyi modified the milestones: v1.6, next-milestone Dec 13, 2016
@idvoretskyi idvoretskyi added stage/beta Denotes an issue tracking an enhancement targeted for Beta status sig/node Categorizes an issue or PR as relevant to SIG Node. labels Jan 10, 2017
@idvoretskyi idvoretskyi modified the milestones: next-milestone, v1.6 Feb 28, 2017
@bgrant0607
Copy link
Member

@calebamiles calebamiles added the sig/auth Categorizes an issue or PR as relevant to SIG Auth. label Jul 26, 2017
@calebamiles calebamiles modified the milestones: 1.8, next-milestone Jul 26, 2017
@idvoretskyi
Copy link
Member

@pweil- any updates for 1.8? Is this feature still on track for the release?

@pweil-
Copy link
Author

pweil- commented Sep 11, 2017

@idvoretskyi this was not a priority for 1.8. @php-coder can you add a card to this for our PM planning? We need to stop letting this fall through the cracks and get it moved to beta and GA.

@idvoretskyi
Copy link
Member

@pweil- if this feature is not planned for 1.8 - please, update the milestone with the "next-milestone" or "1.9"

@tallclair
Copy link
Member

I'd like to see this get to beta. Priorities (or requirements) for that include:

  1. Annotations (Pod & PodSecurityPolicy) must be moved to fields on the container SecurityContext (see https://github.com/kubernetes/community/blob/master/contributors/devel/api_changes.md#alpha-field-in-existing-api-version)
  2. Settle on the OCI spec seccomp format, and define a Kubernetes default profile (can we reuse Docker's?) Proposal: spec the seccomp profile format kubernetes#39128
    a. Figure out how the Kubernetes profile is delivered to the container runtime via CRI (/cc @yujuhong @Random-Liu )
    b. docker/default should still be allowed if the runtime is docker (for backwards compatibility)
  3. The Kubernetes default profile should be the new default. For backwards compatibility, this MUST be optional behavior (i.e. flag controlled). Change seccomp default to 'docker/default' kubernetes#39845

Is anyone interested in driving this work for the 1.9 (or 1.10) milestone? @jessfraz @kubernetes/sig-auth-feature-requests and @kubernetes/sig-node-feature-requests I'm looking at you 😉

Also relevant: kubernetes/community#660 (do we need to settle the decisions in that PR before proceeding?)

@tallclair
Copy link
Member

/cc @destijl

@jessfraz
Copy link

jessfraz commented Sep 24, 2017 via email

@jessfraz
Copy link

ok I will update the proposal and start on this tomorrow if no one else will ;)

@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Aug 3, 2022
@pjbgf
Copy link
Member

pjbgf commented Aug 3, 2022

/remove-lifecycle stale

@saschagrunert saschagrunert removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Aug 4, 2022
@tallclair
Copy link
Member

/lifecycle frozen

@pjbgf @saschagrunert Are we just keeping this open to track the annotation removal at this point?

I think the only remaining task is to stop copying annotations to fields, in v1.27?

@k8s-ci-robot k8s-ci-robot added the lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. label Aug 24, 2022
@saschagrunert
Copy link
Member

@pjbgf @saschagrunert Are we just keeping this open to track the annotation removal at this point?

I think the only remaining task is to stop copying annotations to fields, in v1.27?

Yep, exactly let's keep it open to track this last point.

@saschagrunert
Copy link
Member

saschagrunert commented Jan 10, 2023

I assume that we're now aim to close out this one for 1.27 (kubernetes/kubernetes#91286 (comment)).

@saschagrunert
Copy link
Member

This can be considered as done now.

@sftim
Copy link
Contributor

sftim commented Feb 21, 2023

Is this definitely done? It looks like the docs might not be finished.

@sftim
Copy link
Contributor

sftim commented Feb 21, 2023

We should document all features that graduate to GA. I think that's especially important for security controls.
/reopen

to track the remaining work.

@k8s-ci-robot
Copy link
Contributor

@sftim: Reopened this issue.

In response to this:

We should document all features that graduate to GA. I think that's especially important for security controls.
/reopen

to track the remaining work.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@kannon92
Copy link
Contributor

@saschagrunert @tallclair @sftim What are the action items for 1.32 for this feature?

@sftim
Copy link
Contributor

sftim commented Aug 21, 2024

I think seccomp is stable; I reopened this because we want GA-quality docs (I assume we do). However, docs are continuously delivered so no need to make 1.32 plans around documentation

Pages / sections we might update:

I know that AppArmor is also underdocumented, however whether or not AppArmor is well documented, we should add a bit more detail about what goes into the seccompProfile field - a reference page within https://kubernetes.io/docs/reference/node/ would really help. We have https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1 but that page links on to the task page, not to a detailed reference.

@saschagrunert
Copy link
Member

I guess we can update https://kubernetes.io/docs/reference/node to contain a seccomp page.

We also have https://kubernetes.io/docs/tutorials/security/seccomp

@kannon92 kannon92 moved this from Implemented to Done in SIG Node 1.32 KEPs planning Aug 22, 2024
@kannon92
Copy link
Contributor

Since this is stable, can you create issues in k8s/website to enhance docs for this?

/close

@k8s-ci-robot
Copy link
Contributor

@kannon92: Closing this issue.

In response to this:

Since this is stable, can you create issues in k8s/website to enhance docs for this?

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@sftim
Copy link
Contributor

sftim commented Aug 22, 2024

I'm loth to see KEPs closed without staffing work that should have been done before graduation, but I can't force the issue.

@sftim
Copy link
Contributor

sftim commented Aug 22, 2024

Since this is stable, can you create issues in k8s/website to enhance docs for this?

Doing that work isn't a priority for me. Happy for someone else to.

@saschagrunert
Copy link
Member

Opened kubernetes/website#47687 to track the work.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API kind/feature Categorizes issue or PR as related to a new feature. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/node Categorizes an issue or PR as relevant to SIG Node. stage/stable Denotes an issue tracking an enhancement targeted for Stable/GA status
Projects
Status: Done
Development

No branches or pull requests