Add documentation about SeccompDefault feature

This adds a documentation section about the `SeccompDefault` feature gate for the kubelet. Beside that, the feature gate has been added to the list of features, too. Signed-off-by: Sascha Grunert <[email protected]>
kubernetes · May 12, 2021 · d129b8e · d129b8e
1 parent 6845b64
commit d129b8e
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 0 deletions.
diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates.md b/content/en/docs/reference/command-line-tools-reference/feature-gates.md
@@ -158,6 +158,7 @@ different Kubernetes components.
 | `RotateKubeletServerCertificate` | `false` | Alpha | 1.7 | 1.11 |
 | `RotateKubeletServerCertificate` | `true` | Beta | 1.12 | |
 | `RunAsGroup` | `true` | Beta | 1.14 | |
+| `SeccompDefault` | `false` | Alpha | 1.22 | 1.23 |
 | `ServerSideApply` | `false` | Alpha | 1.14 | 1.15 |
 | `ServerSideApply` | `true` | Beta | 1.16 | |
 | `ServiceInternalTrafficPolicy` | `false` | Alpha | 1.21 | |
@@ -766,6 +767,8 @@ Each feature gate is designed for enabling/disabling a specific feature:
   instead of the DaemonSet controller.
 - `SCTPSupport`: Enables the _SCTP_ `protocol` value in Pod, Service,
   Endpoints, EndpointSlice, and NetworkPolicy definitions.
+- `SeccompDefault`: Enables using the `RuntimeDefault` seccomp profile if nothing
+  else is specified within the `SecurityContext` of a workload.
 - `ServerSideApply`: Enables the [Sever Side Apply (SSA)](/docs/reference/using-api/server-side-apply/)
   feature on the API Server.
 - `ServiceAccountIssuerDiscovery`: Enable OIDC discovery endpoints (issuer and

diff --git a/content/en/docs/tutorials/clusters/seccomp.md b/content/en/docs/tutorials/clusters/seccomp.md
@@ -45,6 +45,38 @@ for the version you are using.
 
 <!-- steps -->
 
+## Enable the `RuntimeDefault` seccomp profile for all workloads
+
+A new kubelet alpha [feature gate](/docs/reference/command-line-tools-reference/feature-gates)
+`SeccompDefault` has been introduced with the release of Kubernetes v1.22.0.
+
+If enabled, the kubelet will always use the `RuntimeDefault` seccomp profile of
+the corresponding container runtime instead of running the workload in
+`Unconfined` (seccomp disabled) mode. Those profiles aim to provide a strong set
+of security default while preserving the functionality of the workload. It is
+possible that the default profiles differ between container runtimes and their
+release versions, for example when comparing those from
+[CRI-O](https://github.com/cri-o/cri-o/blob/b99366680904420974463572f6f0b92166437b0e/vendor/github.com/containers/common/pkg/seccomp/default_linux.go#L45)
+and
+[containerd](https://github.com/containerd/containerd/blob/261c107ffc4ff681bc73988f64e3f60c32233b37/contrib/seccomp/seccomp_default.go#L51).
+
+Some workloads may require a lower set of syscall restrictions. This means that
+they can fail during runtime even with the `RuntimeDefault` profile. To
+mitigate such a failure, either:
+
+- Run the workload explicitly as `Unconfined`.
+- Disable the `SeccompDefault` feature for the nodes.
+- Create a custom seccomp profile for the workload.
+
+It is recommended to enable the feature on a per-node basis and test the
+execution of workloads in conjunction with the `RuntimeDefault` profile before
+deploying them into production.
+
+Since the feature is in alpha state it is disabled per default. To enable it,
+pass the flag `--feature-gates=SeccompDefault=true` to the `kubelet` CLI or
+enable it via the [kubelet configuration
+file](/docs/tasks/administer-cluster/kubelet-config-file).
+
 ## Create Seccomp Profiles
 
 The contents of these profiles will be explored later on, but for now go ahead