From f2dd897d6765ffb56598f8a523f21d984da3a352 Mon Sep 17 00:00:00 2001
From: Dalton Hubble <dghubble@gmail.com>
Date: Wed, 9 Sep 2020 23:29:29 -0700
Subject: [PATCH] Change seccomp annotations to Pod seccompProfile

* seccomp graduated to GA in Kubernetes v1.19. Support
for seccomp alpha annotations will be removed in v1.22
* Replace seccomp annotations with the GA seccompProfile
field in the PodTemplate securityContext
* Switch profile from `docker/default` to `runtime/default`
(no effective change, since docker is the runtime)
* Verify with docker inspect SecurityOpt. Without the
profile, you'd see `seccomp=unconfined`

Related:
* https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.19.md#seccomp-graduates-to-general-availability
---
 resources/calico/daemonset.yaml                         | 5 +++--
 resources/cilium/daemonset.yaml                         | 5 +++--
 resources/cilium/deployment.yaml                        | 5 +++--
 resources/flannel/daemonset.yaml                        | 5 +++--
 resources/manifests/coredns/deployment.yaml             | 5 +++--
 resources/manifests/kube-proxy.yaml                     | 5 +++--
 resources/static-manifests/kube-apiserver.yaml          | 4 ++--
 resources/static-manifests/kube-controller-manager.yaml | 4 ++--
 resources/static-manifests/kube-scheduler.yaml          | 4 ++--
 9 files changed, 24 insertions(+), 18 deletions(-)

diff --git a/resources/calico/daemonset.yaml b/resources/calico/daemonset.yaml
index be222df..f47807e 100644
--- a/resources/calico/daemonset.yaml
+++ b/resources/calico/daemonset.yaml
@@ -17,11 +17,12 @@ spec:
     metadata:
       labels:
         k8s-app: calico-node
-      annotations:
-        seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
     spec:
       hostNetwork: true
       priorityClassName: system-node-critical
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
       serviceAccountName: calico-node
       tolerations:
       - key: node-role.kubernetes.io/controller
diff --git a/resources/cilium/daemonset.yaml b/resources/cilium/daemonset.yaml
index 0c77e03..d138995 100644
--- a/resources/cilium/daemonset.yaml
+++ b/resources/cilium/daemonset.yaml
@@ -17,12 +17,13 @@ spec:
     metadata:
       labels:
         k8s-app: cilium-agent
-      annotations:
-        seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
     spec:
       hostNetwork: true
       priorityClassName: system-node-critical
       serviceAccountName: cilium-agent
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
       tolerations:
       - key: node-role.kubernetes.io/controller
         operator: Exists
diff --git a/resources/cilium/deployment.yaml b/resources/cilium/deployment.yaml
index 16db1e6..5230389 100644
--- a/resources/cilium/deployment.yaml
+++ b/resources/cilium/deployment.yaml
@@ -16,12 +16,13 @@ spec:
     metadata:
       labels:
         name: cilium-operator
-      annotations:
-        seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
     spec:
       hostNetwork: true
       priorityClassName: system-cluster-critical
       serviceAccountName: cilium-operator
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
       tolerations:
       - key: node-role.kubernetes.io/controller
         operator: Exists
diff --git a/resources/flannel/daemonset.yaml b/resources/flannel/daemonset.yaml
index d310e56..075f675 100644
--- a/resources/flannel/daemonset.yaml
+++ b/resources/flannel/daemonset.yaml
@@ -17,12 +17,13 @@ spec:
     metadata:
       labels:
         k8s-app: flannel
-      annotations:
-        seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
     spec:
       hostNetwork: true
       priorityClassName: system-node-critical
       serviceAccountName: flannel
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
       tolerations:
       - key: node-role.kubernetes.io/controller
         operator: Exists
diff --git a/resources/manifests/coredns/deployment.yaml b/resources/manifests/coredns/deployment.yaml
index e558440..66602e4 100644
--- a/resources/manifests/coredns/deployment.yaml
+++ b/resources/manifests/coredns/deployment.yaml
@@ -21,8 +21,6 @@ spec:
       labels:
         tier: control-plane
         k8s-app: coredns
-      annotations:
-        seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
     spec:
       affinity:
         nodeAffinity:
@@ -48,6 +46,9 @@ spec:
                   - coredns
               topologyKey: kubernetes.io/hostname
       priorityClassName: system-cluster-critical
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
       serviceAccountName: coredns
       tolerations:
         - key: node-role.kubernetes.io/controller
diff --git a/resources/manifests/kube-proxy.yaml b/resources/manifests/kube-proxy.yaml
index b06c01b..36bfdfd 100644
--- a/resources/manifests/kube-proxy.yaml
+++ b/resources/manifests/kube-proxy.yaml
@@ -20,11 +20,12 @@ spec:
       labels:
         tier: node
         k8s-app: kube-proxy
-      annotations:
-        seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
     spec:
       hostNetwork: true
       priorityClassName: system-node-critical
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
       serviceAccountName: kube-proxy
       tolerations:
       - key: node-role.kubernetes.io/controller
diff --git a/resources/static-manifests/kube-apiserver.yaml b/resources/static-manifests/kube-apiserver.yaml
index c163827..dbdbe3a 100644
--- a/resources/static-manifests/kube-apiserver.yaml
+++ b/resources/static-manifests/kube-apiserver.yaml
@@ -6,14 +6,14 @@ metadata:
   labels:
     k8s-app: kube-apiserver
     tier: control-plane
-  annotations:
-    seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
 spec:
   hostNetwork: true
   priorityClassName: system-cluster-critical
   securityContext:
     runAsNonRoot: true
     runAsUser: 65534
+    seccompProfile:
+      type: RuntimeDefault
   containers:
   - name: kube-apiserver
     image: ${kube_apiserver_image}
diff --git a/resources/static-manifests/kube-controller-manager.yaml b/resources/static-manifests/kube-controller-manager.yaml
index c1b0456..ac4cb19 100644
--- a/resources/static-manifests/kube-controller-manager.yaml
+++ b/resources/static-manifests/kube-controller-manager.yaml
@@ -6,14 +6,14 @@ metadata:
   labels:
     k8s-app: kube-controller-manager
     tier: control-plane
-  annotations:
-    seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
 spec:
   hostNetwork: true
   priorityClassName: system-cluster-critical
   securityContext:
     runAsNonRoot: true
     runAsUser: 65534
+    seccompProfile:
+      type: RuntimeDefault
   containers:
   - name: kube-controller-manager
     image: ${kube_controller_manager_image}
diff --git a/resources/static-manifests/kube-scheduler.yaml b/resources/static-manifests/kube-scheduler.yaml
index 5acac6c..d4d5f6f 100644
--- a/resources/static-manifests/kube-scheduler.yaml
+++ b/resources/static-manifests/kube-scheduler.yaml
@@ -6,14 +6,14 @@ metadata:
   labels:
     k8s-app: kube-scheduler
     tier: control-plane
-  annotations:
-    seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
 spec:
   hostNetwork: true
   priorityClassName: system-cluster-critical
   securityContext:
     runAsNonRoot: true
     runAsUser: 65534
+    seccompProfile:
+      type: RuntimeDefault
   containers:
   - name: kube-scheduler
     image: ${kube_scheduler_image}