mirror of
https://github.com/optim-enterprises-bv/kubernetes.git
synced 2025-11-01 18:58:18 +00:00
Partly remove support for seccomp annotations
We now partly drop the support for seccomp annotations which is planned for v1.25 as part of the KEP: https://github.com/kubernetes/enhancements/issues/135 Pod security policies are not touched by this change and therefore we have to keep the annotation key constants. This means we only allow the usage of the annotations for backwards compatibility reasons while the synchronization of the field to annotation is no longer supported. Using the annotations for static pods is also not supported any more. Making the annotations fully non-functional will be deferred to a future release. Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
This commit is contained in:
Sascha Grunert
@@ -644,28 +644,20 @@ func validateContainer(container string, pod *api.Pod) (string, error) {
|
||||
|
||||
// applySeccompVersionSkew implements the version skew behavior described in:
|
||||
// https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/135-seccomp#version-skew-strategy
|
||||
// Note that we dropped copying the field to annotation synchronization in
|
||||
// v1.25 with the functional removal of the annotations.
|
||||
func applySeccompVersionSkew(pod *api.Pod) {
|
||||
// get possible annotation and field
|
||||
annotation, hasAnnotation := pod.Annotations[v1.SeccompPodAnnotationKey]
|
||||
field, hasField := (*api.SeccompProfile)(nil), false
|
||||
hasField := false
|
||||
|
||||
if pod.Spec.SecurityContext != nil && pod.Spec.SecurityContext.SeccompProfile != nil {
|
||||
field = pod.Spec.SecurityContext.SeccompProfile
|
||||
hasField = true
|
||||
}
|
||||
|
||||
// sync field and annotation
|
||||
if hasField && !hasAnnotation {
|
||||
newAnnotation := podutil.SeccompAnnotationForField(field)
|
||||
|
||||
if newAnnotation != "" {
|
||||
if pod.Annotations == nil {
|
||||
pod.Annotations = map[string]string{}
|
||||
}
|
||||
pod.Annotations[v1.SeccompPodAnnotationKey] = newAnnotation
|
||||
}
|
||||
} else if hasAnnotation && !hasField {
|
||||
newField := podutil.SeccompFieldForAnnotation(annotation)
|
||||
if hasAnnotation && !hasField {
|
||||
newField := seccompFieldForAnnotation(annotation)
|
||||
|
||||
if newField != nil {
|
||||
if pod.Spec.SecurityContext == nil {
|
||||
@@ -682,24 +674,14 @@ func applySeccompVersionSkew(pod *api.Pod) {
|
||||
key := api.SeccompContainerAnnotationKeyPrefix + ctr.Name
|
||||
annotation, hasAnnotation := pod.Annotations[key]
|
||||
|
||||
field, hasField := (*api.SeccompProfile)(nil), false
|
||||
hasField := false
|
||||
if ctr.SecurityContext != nil && ctr.SecurityContext.SeccompProfile != nil {
|
||||
field = ctr.SecurityContext.SeccompProfile
|
||||
hasField = true
|
||||
}
|
||||
|
||||
// sync field and annotation
|
||||
if hasField && !hasAnnotation {
|
||||
newAnnotation := podutil.SeccompAnnotationForField(field)
|
||||
|
||||
if newAnnotation != "" {
|
||||
if pod.Annotations == nil {
|
||||
pod.Annotations = map[string]string{}
|
||||
}
|
||||
pod.Annotations[key] = newAnnotation
|
||||
}
|
||||
} else if hasAnnotation && !hasField {
|
||||
newField := podutil.SeccompFieldForAnnotation(annotation)
|
||||
if hasAnnotation && !hasField {
|
||||
newField := seccompFieldForAnnotation(annotation)
|
||||
|
||||
if newField != nil {
|
||||
if ctr.SecurityContext == nil {
|
||||
@@ -712,3 +694,33 @@ func applySeccompVersionSkew(pod *api.Pod) {
|
||||
return true
|
||||
})
|
||||
}
|
||||
|
||||
// seccompFieldForAnnotation takes a pod annotation and returns the converted
|
||||
// seccomp profile field.
|
||||
func seccompFieldForAnnotation(annotation string) *api.SeccompProfile {
|
||||
// If only seccomp annotations are specified, copy the values into the
|
||||
// corresponding fields. This ensures that existing applications continue
|
||||
// to enforce seccomp, and prevents the kubelet from needing to resolve
|
||||
// annotations & fields.
|
||||
if annotation == v1.SeccompProfileNameUnconfined {
|
||||
return &api.SeccompProfile{Type: api.SeccompProfileTypeUnconfined}
|
||||
}
|
||||
|
||||
if annotation == api.SeccompProfileRuntimeDefault || annotation == api.DeprecatedSeccompProfileDockerDefault {
|
||||
return &api.SeccompProfile{Type: api.SeccompProfileTypeRuntimeDefault}
|
||||
}
|
||||
|
||||
if strings.HasPrefix(annotation, v1.SeccompLocalhostProfileNamePrefix) {
|
||||
localhostProfile := strings.TrimPrefix(annotation, v1.SeccompLocalhostProfileNamePrefix)
|
||||
if localhostProfile != "" {
|
||||
return &api.SeccompProfile{
|
||||
Type: api.SeccompProfileTypeLocalhost,
|
||||
LocalhostProfile: &localhostProfile,
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// we can only reach this code path if the localhostProfile name has a zero
|
||||
// length or if the annotation has an unrecognized value
|
||||
return nil
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user