Add support for seccomp
Description
Secure Computing profiles have become GA in Kubernetes 1.19. As such, we would like to make use of them. Previously to 1.25, this was possible via config.toml by adding the below:
[[runners]]
[runners.kubernetes]
[runners.kubernetes.pod_annotations]
"container.seccomp.security.alpha.kubernetes.io/build" = "runtime/default"
"container.seccomp.security.alpha.kubernetes.io/helper" = "runtime/default"
"container.seccomp.security.alpha.kubernetes.io/init-permissions" = "runtime/default"
"seccomp.security.alpha.kubernetes.io/pod" = "runtime/default"
However, as of v1.25, these annotations are deprecated, and the only way to set the secure computing profile for the containers is via securityContext
:
containers:
- name: build
securityContext:
seccompProfile:
type: RuntimeDefault
- name: helper
securityContext:
seccompProfile:
type: RuntimeDefault
- name: init-permissions
securityContext:
seccompProfile:
type: RuntimeDefault
Same for pods:
apiVersion: v1
kind: Pod
metadata:
name: runner-(random_alphanumeric_string)-project-(project_id)-concurrent-(random_alphanumeric_string)
spec:
securityContext:
seccompProfile:
type: RuntimeDefault
Proposal
Please add support to set the secure computing profiles via a dedicated section in config.toml. This should be made available in both the pod level security context, as well as the container level security context, in order to support multi-tenant clusters which may have pods and/or containers with different values in different namespaces.
Links to related issues and merge requests / references
- Docs: https://kubernetes.io/docs/tutorials/security/seccomp/
- PR partially removing support for annotations: https://github.com/kubernetes/kubernetes/pull/109819
- More docs showing both pod and container style annotations are deprecated: https://kubernetes.io/docs/reference/labels-annotations-taints/#seccomp-security-alpha-kubernetes-io-pod
Edited by Thomas Spear