Implement SeccompProfile CRD and controller

This change implements a SeccompProfile custom resource API. A new
SeccompProfile type is created and the controller Reconciler is modified
to handle either a SeccompProfile Kind or a ConfigMap describing a
seccomp profile. The CRD manifest is generated by the new type.

Makefile

@@ -41,6 +41,8 @@ LDFLAGS := -s -w -linkmode external -extldflags "-static" $(LDVARS)
 CONTAINER_RUNTIME ?= docker
 IMAGE ?= $(PROJECT):latest
 
+CRD_OPTIONS ?= "crd:crdVersions=v1"
+
 GOLANGCI_LINT_VERSION = v1.30.0
 REPO_INFRA_VERSION = v0.0.10
 
@@ -82,7 +84,7 @@ go-mod: ## Cleanup and verify go modules
 		$(GO) mod verify
 
 .PHONY: deployments
-deployments: ## Generate the deployment files with kustomize
+deployments: manifests ## Generate the deployment files with kustomize
 	kustomize build --reorder=none deploy/overlays/cluster -o deploy/operator.yaml
 	kustomize build --reorder=none deploy/overlays/namespaced -o deploy/namespace-operator.yaml
 
@@ -135,3 +137,11 @@ test-unit: $(BUILD_DIR) ## Run the unit tests
 .PHONY: test-e2e
 test-e2e: ## Run the end-to-end tests
 	$(GO) test -timeout 20m -tags e2e -count=1 ./test/... -v
+
+# Generate CRD manifest
+manifests:
+	$(GO) run -tags generate sigs.k8s.io/controller-tools/cmd/controller-gen $(CRD_OPTIONS) paths="./api/..." output:crd:stdout > deploy/base/crd.yaml
+
+# Generate deepcopy code
+generate:
+	$(GO) run -tags generate sigs.k8s.io/controller-tools/cmd/controller-gen object:headerFile="hack/boilerplate/boilerplate.go.txt",year=$(shell date -u "+%Y") paths="./..."

api/v1alpha1/groupversion_info.go

@@ -0,0 +1,36 @@
+/*
+Copyright 2020 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package v1alpha1 contains API Schema definitions for the seccomp-operator v1alpha1 API group
+// +kubebuilder:object:generate=true
+// +groupName=seccomp-operator.k8s-sigs.io
+package v1alpha1
+
+import (
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"sigs.k8s.io/controller-runtime/pkg/scheme"
+)
+
+var (
+	// GroupVersion is group version used to register these objects.
+	GroupVersion = schema.GroupVersion{Group: "seccomp-operator.k8s-sigs.io", Version: "v1alpha1"}
+
+	// SchemeBuilder is used to add go types to the GroupVersionKind scheme.
+	SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion}
+
+	// AddToScheme adds the types in this group-version to the given scheme.
+	AddToScheme = SchemeBuilder.AddToScheme
+)

api/v1alpha1/seccompprofile_types.go

@@ -0,0 +1,109 @@
+/*
+Copyright 2020 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	"github.com/containers/common/pkg/seccomp"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// SeccompProfileSpec defines the desired state of SeccompProfile.
+type SeccompProfileSpec struct {
+	// Properties from containers/common/pkg/seccomp.Seccomp type
+
+	// the default action for seccomp
+	//nolint:lll
+	// +kubebuilder:validation:Enum=SCMP_ACT_KILL;SCMP_ACT_KILL_PROCESS;SCMP_ACT_KILL_THREAD;SCMP_ACT_TRAP;SCMP_ACT_ERRNO;SCMP_ACT_TRACE;SCMP_ACT_ALLOW;SCMP_ACT_LOG
+	DefaultAction seccomp.Action `json:"defaultAction"`
+	// the architecture used for system calls
+	Architectures []*Arch `json:"architectures,omitempty"`
+	// match a syscall in seccomp. While this property is OPTIONAL, some values
+	// of defaultAction are not useful without syscalls entries. For example,
+	// if defaultAction is SCMP_ACT_KILL and syscalls is empty or unset, the
+	// kernel will kill the container process on its first syscall
+	Syscalls []*Syscall `json:"syscalls,omitempty"`
+
+	// Additional properties from OCI runtime spec
+
+	// list of flags to use with seccomp(2)
+	Flags []*Flag `json:"flags,omitempty"`
+}
+
+//nolint:lll
+// +kubebuilder:validation:Enum=SCMP_ARCH_X86;SCMP_ARCH_X86_64;SCMP_ARCH_X32;SCMP_ARCH_ARM;SCMP_ARCH_AARCH64;SCMP_ARCH_MIPS;SCMP_ARCH_MIPS64;SCMP_ARCH_MIPS64N32;SCMP_ARCH_MIPSEL;SCMP_ARCH_MIPSEL64;SCMP_ARCH_MIPSEL64N32;SCMP_ARCH_PPC;SCMP_ARCH_PPC64;SCMP_ARCH_PPC64LE;SCMP_ARCH_S390;SCMP_ARCH_S390X;SCMP_ARCH_PARISC;SCMP_ARCH_PARISC64;SCMP_ARCH_RISCV64
+type Arch string
+
+// +kubebuilder:validation:Enum=SECCOMP_FILTER_FLAG_TSYNC;SECCOMP_FILTER_FLAG_LOG;SECCOMP_FILTER_FLAG_SPEC_ALLOW
+type Flag string
+
+// Syscall defines a syscall in seccomp.
+type Syscall struct {
+	// the names of the syscalls
+	Names []string `json:"names"`
+	// the action for seccomp rules
+	//nolint:lll
+	// +kubebuilder:validation:Enum=SCMP_ACT_KILL;SCMP_ACT_KILL_PROCESS;SCMP_ACT_KILL_THREAD;SCMP_ACT_TRAP;SCMP_ACT_ERRNO;SCMP_ACT_TRACE;SCMP_ACT_ALLOW;SCMP_ACT_LOG
+	Action seccomp.Action `json:"action"`
+	// the errno return code to use. Some actions like SCMP_ACT_ERRNO and
+	// SCMP_ACT_TRACE allow to specify the errno code to return
+	ErrnoRet string `json:"errnoRet,omitempty"`
+	// the specific syscall in seccomp
+	// +kubebuilder:validation:MaxItems=6
+	Args []*Arg `json:"args,omitempty"`
+}
+
+// Arg defines the specific syscall in seccomp.
+type Arg struct {
+	// the index for syscall arguments in seccomp
+	// +kubebuilder:validation:Minimum=0
+	Index uint `json:"index"`
+	// the value for syscall arguments in seccomp
+	// +kubebuilder:validation:Minimum=0
+	Value uint64 `json:"value,omitempty"`
+	// the value for syscall arguments in seccomp
+	// +kubebuilder:validation:Minimum=0
+	ValueTwo uint64 `json:"valueTwo,omitempty"`
+	// the operator for syscall arguments in seccomp
+	//nolint:lll
+	// +kubebuilder:validation:Enum=SCMP_CMP_NE;SCMP_CMP_LT;SCMP_CMP_LE;SCMP_CMP_EQ;SCMP_CMP_GE;SCMP_CMP_GT;SCMP_CMP_MASKED_EQ
+	Op seccomp.Operator `json:"op"`
+}
+
+// +kubebuilder:object:root=true
+
+// SeccompProfile is a cluster level specification for a seccomp profile.
+// See https://github.com/opencontainers/runtime-spec/blob/master/config-linux.md#seccomp
+// +kubebuilder:resource:shortName=sp
+type SeccompProfile struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec SeccompProfileSpec `json:"spec,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// SeccompProfileList contains a list of SeccompProfile.
+type SeccompProfileList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []SeccompProfile `json:"items"`
+}
+
+func init() { //nolint:gochecknoinits
+	SchemeBuilder.Register(&SeccompProfile{}, &SeccompProfileList{})
+}

cmd/seccomp-operator/main.go

@@ -25,6 +25,7 @@ import (
 	"k8s.io/klog/v2/klogr"
 	ctrl "sigs.k8s.io/controller-runtime"
 
+	seccompoperatorv1alpha1 "sigs.k8s.io/seccomp-operator/api/v1alpha1"
 	"sigs.k8s.io/seccomp-operator/internal/pkg/config"
 	"sigs.k8s.io/seccomp-operator/internal/pkg/controllers/profile"
 	"sigs.k8s.io/seccomp-operator/internal/pkg/version"
@@ -114,6 +115,10 @@ func run(*cli.Context) error {
 		return errors.Wrap(err, "create manager")
 	}
 
+	if err := seccompoperatorv1alpha1.AddToScheme(mgr.GetScheme()); err != nil {
+		return errors.Wrap(err, "add core seccomp APIs to scheme")
+	}
+
 	if err := profile.Setup(mgr, ctrl.Log.WithName("profile")); err != nil {
 		return errors.Wrap(err, "setup profile controller")
 	}