SCC seccomp support

[pweil-]

Support for kube 1.3 alpha seccomp feature.

[pweil-]

@smarterclayton @liggitt ready for review. I want to do some final manual testing before merge but this is the back port of the proposed changes upstream in a 1.3 compatible way.

A good question here is if we really care about this control in the alpha phase and if we should maybe be disabling seccomp altogether until it is out of alpha.

Some items to consider:

1. This is annotation based which kind of stinks - pulling in the 1.4 proposed changes for field based seccomp is too risky at this point
2. Moving from unconfined to seccomp enforcing poses a security risk

Scenario: currently all seccomp annotations are ignored. If someone adds an annotation before the upgrade process happens it is an unvalidated annotation and can contain ../../<any file I want. This file will be read and passed as security opts to docker. I'm not sure if that can be exploited in any way but we should be aware of it.

In any case, this gives admin control of validation and defaulting but does not protect against the above scenario.

[pweil-]

[test]

[pweil-]

re[test]

[pweil-]

re[test]

[mfojtik]

@smarterclayton @liggitt can we have this reviewed asap? it is 3.3 blocker :)

[pweil-]

flake #9959

re[test]

[smarterclayton]

Why are we not making this restrictive? Do we have a value that is actually secure that we can use here?

[pweil-]

This is the privileged SCC. I left the other SCCs as is for 3.3 which means no seccomp value can be specified and the kubelet default will be used.

The discussion upstream is to change the kubelet default to docker/default but since that is untested I was thinking that the better option is to leave this up to the administrator.

[pweil-]

oh, and this was changed specifically because the seccomp feature conformance tests need to be able to specify the annotation.

[pweil-]

flake #9959 re[test]

[stevekuznetsov]

re[test]

[smarterclayton]

LGTM

[pweil-]

re[test]

[pweil-]

flake #10080 re[test]

[openshift-bot]

Evaluated for origin test up to 54550af

[openshift-bot]

continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/7387/)

[pweil-]

tests are green. Last call 🍻

[smarterclayton]

[merge]

On Tue, Aug 2, 2016 at 12:58 PM, Paul Weil [email protected] wrote:

tests are green. Last call 🍻

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#9715 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/ABG_pxh-xx5MYsvfGMeRLne3AO-qrnpSks5qb3cZgaJpZM4JGJMp
.

[openshift-bot]

continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/7387/) (Image: devenv-rhel7_4730)

[openshift-bot]

Evaluated for origin merge up to 54550af