Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement SeccompProfile CRD and controller #125

Merged
merged 1 commit into from
Sep 30, 2020
Merged

Implement SeccompProfile CRD and controller #125

merged 1 commit into from
Sep 30, 2020

Conversation

cmurphy
Copy link
Contributor

@cmurphy cmurphy commented Sep 3, 2020
edited
Loading

This change implements a SeccompProfile custom resource API. A new
SeccompProfile type is created and the controller Reconciler is modified
to handle either a SeccompProfile Kind or a ConfigMap describing a
seccomp profile. The CRD manifest is generated by the new type.

What type of PR is this?

/kind feature
/kind api-change

What this PR does / why we need it:

Which issue(s) this PR fixes:

Fixes #117

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Added new Custom Resource Definition `seccompprofiles.seccomp-operator.k8s-sigs.io` as an alternative to an annotated ConfigMap for defining seccomp profiles.

@k8s-ci-robot k8s-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/feature Categorizes issue or PR as related to a new feature. kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Sep 3, 2020
@k8s-ci-robot
Copy link
Contributor

Hi @cmurphy. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Sep 3, 2020
@k8s-ci-robot k8s-ci-robot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Sep 3, 2020
@cmurphy cmurphy mentioned this pull request Sep 3, 2020
Closed
@saschagrunert
Copy link
Member

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Sep 3, 2020
saschagrunert
saschagrunert reviewed Sep 3, 2020
View reviewed changes
Copy link
Member

@saschagrunert saschagrunert left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great work so far, just two nits on the deployment.

deploy/operator.yaml Outdated Show resolved Hide resolved
deploy/operator.yaml Outdated Show resolved Hide resolved
@k8s-ci-robot k8s-ci-robot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Sep 3, 2020
@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Sep 4, 2020
@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Sep 4, 2020
hasheddan
hasheddan reviewed Sep 5, 2020
View reviewed changes
Copy link
Contributor

@hasheddan hasheddan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the awesome work here @cmurphy! Excited to see this coming along! 🎉

deploy/namespace-operator.yaml Outdated
resources:
- seccompprofiles
verbs:
- create
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need create permissions on the SeccompProfile resource?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nope, will remove

deploy/base/crd.yaml
@@ -0,0 +1,94 @@
---
apiVersion: apiextensions.k8s.io/v1
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In regards to generating, I think it would be good to do this from the beginning to make sure we stay in sync. This is fairly straightforward with controller-tools. Here is an example of doing so with go generate --> https://github.com/crossplane/crossplane/blob/3ea5d036778e0c257960983d0cdb9271f12dc895/apis/generate.go#L26

cmd/seccomp-operator/main.go Outdated
)

func init() {
_ = clientgoscheme.AddToScheme(scheme)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need to add the clientgoscheme here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Apparently not, if I incorporate your other suggestion about the scheme

cmd/seccomp-operator/main.go Outdated
@@ -103,6 +112,7 @@ func run(*cli.Context) error {

ctrlOpts := ctrl.Options{
SyncPeriod: &sync,
Scheme: scheme,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nitpick: you can leave this empty and ctrl.NewManager() will create a *runtime.Scheme for you, which you can then add types to with something like:

if err := seccompoperatorv1alpha1.AddToScheme(mgr.GetScheme()); err != nil {
	return errors.Wrap(err, "Cannot add core Seccomp APIs to scheme")
}

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@pjbgf pjbgf mentioned this pull request Sep 7, 2020
Closed
@k8s-ci-robot k8s-ci-robot added size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. and removed size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Sep 15, 2020
@saschagrunert
Copy link
Member

@cmurphy feel free to drop the WIP if you think this is ready for another round of review 😊

@cmurphy
Copy link
Contributor Author

cmurphy commented Sep 16, 2020

@saschagrunert I will once I get the tests fixed 😄

@cmurphy cmurphy changed the title [WIP] Implement SeccompProfile CRD and controller Implement SeccompProfile CRD and controller Sep 17, 2020
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Sep 17, 2020
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cmurphy, saschagrunert

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Sep 18, 2020
@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Sep 18, 2020
@cmurphy
Copy link
Contributor Author

cmurphy commented Sep 18, 2020

Noticed errors on the validation of flags and architectures, latest revision fixes them

@cmurphy cmurphy force-pushed the crd branch 2 times, most recently from fdecb90 to fa85960 Compare September 21, 2020 22:56
@cmurphy
Copy link
Contributor Author

cmurphy commented Sep 21, 2020

Added an e2e test.

saschagrunert
saschagrunert approved these changes Sep 22, 2020
View reviewed changes
Copy link
Member

@saschagrunert saschagrunert left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you! PTAL @hasheddan @pjbgf

pjbgf
pjbgf requested changes Sep 24, 2020
View reviewed changes
Copy link
Member

@pjbgf pjbgf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Really good stuff, thank you for this contribution.
Overall it is a lgtm from me once we change the group to a temporary one.

api/v1alpha1/groupversion_info.go Outdated

// Package v1alpha1 contains API Schema definitions for the seccomp-operator v1alpha1 API group
// +kubebuilder:object:generate=true
// +groupName=seccomp-operator.k8s-sigs.io
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tricky one! Would you be opposed to use something internal (without k8s-sigs.io) and open an issue for us to resolve this later on depending on whether or not the project gets renamed? I'd rather we go for a name submission/approval only once if possible.

We probably could start with seccompprofiles.seccomp-operator.io and then change and submit for approval when/if we finally decide on the project renaming.

@saschagrunert saschagrunert mentioned this pull request Sep 24, 2020
Closed
@cmurphy cmurphy force-pushed the crd branch 2 times, most recently from a86b843 to 7e01b20 Compare September 24, 2020 19:23
pjbgf
pjbgf approved these changes Sep 24, 2020
View reviewed changes
Copy link
Member

@pjbgf pjbgf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@k8s-ci-robot k8s-ci-robot added lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels Sep 24, 2020
@cmurphy
Implement SeccompProfile CRD and controller
73c0bd8 
This change implements a SeccompProfile custom resource API. A new
SeccompProfile type is created and the controller Reconciler is modified
to handle either a SeccompProfile Kind or a ConfigMap describing a
seccomp profile. The CRD manifest is generated by the new type.
@k8s-ci-robot k8s-ci-robot removed lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels Sep 24, 2020
pjbgf
pjbgf approved these changes Sep 25, 2020
View reviewed changes
Copy link
Member

@pjbgf pjbgf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Sep 25, 2020
hasheddan
hasheddan approved these changes Sep 25, 2020
View reviewed changes
Copy link
Contributor

@hasheddan hasheddan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

Thanks for the awesome work here @cmurphy!!

@pjbgf
Copy link
Member

pjbgf commented Sep 30, 2020

/unhold

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Sep 30, 2020
@k8s-ci-robot k8s-ci-robot merged commit ae1dbf2 into kubernetes-sigs:master Sep 30, 2020
@saschagrunert
Copy link
Member

Great work @cmurphy! Are there any follow ups we can consider?

@cmurphy
Copy link
Contributor Author

cmurphy commented Oct 1, 2020

@saschagrunert yes, I just propose #138 as an idea to address #131. I think we might also want another PR to address part of #117 that is not addressed here, "provides a useful abstraction, like the minimum amount of syscalls needed for container runtimes like runc". Also, documentation 😄

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@saschagrunert saschagrunert saschagrunert approved these changes

@hasheddan hasheddan hasheddan approved these changes

@pjbgf pjbgf pjbgf approved these changes

Assignees

@saschagrunert saschagrunert

@pjbgf pjbgf

@hasheddan hasheddan

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Custom Resource Definition (CRD) for profiles
5 participants
@cmurphy @k8s-ci-robot @saschagrunert @pjbgf @hasheddan