Skip to content

Adding seccompProfile RuntimeDefault #2397

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jan 21, 2025
Merged

Adding seccompProfile RuntimeDefault #2397

merged 2 commits into from
Jan 21, 2025

Conversation

tarekabouzeid
Copy link
Member

Purpose of this PR

Proposed changes:

  • Adding seccompProfile type: RuntimeDefault to controller and webhook

Change Category

  • Bugfix (non-breaking change which fixes an issue)
  • Feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that could affect existing functionality)
  • Documentation update

Rationale

Checklist

  • I have conducted a self-review of my own code.
  • I have updated documentation accordingly.
  • I have added tests that prove my changes are effective or that my feature works.
  • Existing unit tests pass locally with my changes.

Additional Notes

kubeflow/manifests#2912 (comment)

@tarekabouzeid tarekabouzeid mentioned this pull request Jan 20, 2025
Closed
7 tasks
@tarekabouzeid
updating helm docs
1dbc504 
Signed-off-by: Tarek Abouzeid <[email protected]>
jacobsalway
jacobsalway approved these changes Jan 21, 2025
View reviewed changes
Copy link
Member

@jacobsalway jacobsalway left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM as this is encouraged by EKS and in GKE Autopilot. Worth nothing this will only work in k8s 1.19 and above which conflicts with the 1.16+ support we quote in the README, however I want to reduce the quoted support to the e2e test matrix in the next release anyway.

@google-oss-prow Google OSS Prow
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jacobsalway

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@jacobsalway
Copy link
Member

/lgtm

@google-oss-prow google-oss-prow bot added the lgtm label Jan 21, 2025
@google-oss-prow google-oss-prow bot merged commit b241103 into kubeflow:master Jan 21, 2025
11 checks passed
@tarekabouzeid tarekabouzeid deleted the adding-seccomp-profile branch January 21, 2025 13:15
@juliusvonkohout
Copy link
Member

@tarekabouzeid @biswassri @jacobsalway we should extend this to all examples as well:

TODO We are missing a securitycontext in https://github.com/kubeflow/manifests/blob/73cbecfe604e84dfc7c0851630a6eb5733022dea/contrib/spark/sparkapplication_example.yaml and it should be upstreamed to the spark repository

    securityContext:
      capabilities:
        drop:
          - ALL
      runAsGroup: 0 # that is best practices on Kubernetes to run as anyuserid!=0 and group 0 for file access
      runAsNonRoot: true
      allowPrivilegeEscalation: false
      seccompProfile:
        type: RuntimeDefault

@juliusvonkohout
Copy link
Member

juliusvonkohout commented Jan 22, 2025
edited
Loading

kubeflow/manifests#2966 is an example PR, but all examples in https://github.com/kubeflow/spark-operator/tree/master/examples must be changed as well. A point release of spark-operator would help then with the Kubeflow 1.10 release, to reduce our patches

@tarekabouzeid
Copy link
Member Author

tarekabouzeid commented Jan 22, 2025
edited
Loading

@juliusvonkohout I will submit another PR to update the examples as well

@tarekabouzeid @biswassri @jacobsalway we should extend this to all examples as well:

TODO We are missing a securitycontext in https://github.com/kubeflow/manifests/blob/73cbecfe604e84dfc7c0851630a6eb5733022dea/contrib/spark/sparkapplication_example.yaml and it should be upstreamed to the spark repository

    securityContext:
      capabilities:
        drop:
          - ALL
      runAsGroup: 0 # that is best practices on Kubernetes to run as anyuserid!=0 and group 0 for file access
      runAsNonRoot: true
      allowPrivilegeEscalation: false
      seccompProfile:
        type: RuntimeDefault

@tarekabouzeid tarekabouzeid mentioned this pull request Jan 22, 2025
Closed
8 tasks
ChenYi015 pushed a commit that referenced this pull request Mar 21, 2025
@tarekabouzeid @ChenYi015
Adding seccompProfile RuntimeDefault (#2397)
8968f33 
* Adding seccompProfile RuntimeDefault

Signed-off-by: Tarek Abouzeid <[email protected]>

* updating helm docs

Signed-off-by: Tarek Abouzeid <[email protected]>

---------

Signed-off-by: Tarek Abouzeid <[email protected]>
(cherry picked from commit b241103)
@ChenYi015 ChenYi015 mentioned this pull request Mar 21, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andreyvelich andreyvelich Awaiting requested review from andreyvelich

@ImpSy ImpSy Awaiting requested review from ImpSy

@vara-bonthu vara-bonthu Awaiting requested review from vara-bonthu

1 more reviewer

@jacobsalway jacobsalway jacobsalway approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees

@jacobsalway jacobsalway

Labels
approved lgtm size/XS
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@tarekabouzeid @jacobsalway @juliusvonkohout