Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add dedicated seccomp node reference #47967

Merged
merged 1 commit into from
Oct 8, 2024
Merged

Add dedicated seccomp node reference #47967

merged 1 commit into from
Oct 8, 2024

Conversation

saschagrunert
Copy link
Member

@saschagrunert saschagrunert commented Sep 17, 2024
edited
Loading

Description

Adding a node reference page about seccomp.

Issue

Fixes #47687

Preview: https://deploy-preview-47967--kubernetes-io-main-staging.netlify.app/docs/reference/node/seccomp/

@k8s-ci-robot k8s-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Sep 17, 2024
@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Sep 17, 2024
@k8s-ci-robot k8s-ci-robot added language/en Issues or PRs related to English language size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Sep 17, 2024
@saschagrunert saschagrunert mentioned this pull request Sep 17, 2024
Closed
@netlify Netlify
Copy link

netlify bot commented Sep 17, 2024
edited
Loading

Pull request preview available for checking

Built without sensitive environment variables

Name Link
🔨 Latest commit c2b49fe
🔍 Latest deploy log https://app.netlify.com/sites/kubernetes-io-main-staging/deploys/6704f55e43ae0900088ade2f
😎 Deploy Preview https://deploy-preview-47967--kubernetes-io-main-staging.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Sep 17, 2024
@saschagrunert saschagrunert changed the title WIP: Add dedicated seccomp node reference Add dedicated seccomp node reference Sep 17, 2024
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Sep 17, 2024
@saschagrunert
Copy link
Member Author

Opening this up for a first review. I assume we can extend into various directions.

@sftim
Copy link
Contributor

sftim commented Sep 17, 2024

/sig node security

@k8s-ci-robot k8s-ci-robot added sig/node Categorizes an issue or PR as relevant to SIG Node. sig/security Categorizes an issue or PR as relevant to SIG Security. labels Sep 17, 2024
sftim
sftim reviewed Sep 17, 2024
View reviewed changes
Copy link
Contributor

@sftim sftim left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks

Optionally, also edit https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster/ and / or https://kubernetes.io/docs/concepts/security/linux-kernel-security-constraints/ to link to the new page.

content/en/docs/reference/node/_index.md Outdated Show resolved Hide resolved
content/en/docs/reference/node/seccomp.md Outdated Show resolved Hide resolved
content/en/docs/reference/node/seccomp.md Outdated Show resolved Hide resolved
content/en/examples/pods/security/seccomp/profile.json Outdated
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This may be best placed in a different path so that it doesn't fail our (manual) manifest validation checks.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not sure where's best though.

content/en/examples/pods/security/seccomp/fields.yaml Outdated Show resolved Hide resolved
content/en/docs/reference/node/seccomp.md Outdated Show resolved Hide resolved
sftim
sftim reviewed Sep 17, 2024
View reviewed changes
content/en/docs/reference/node/seccomp.md Outdated
: A default seccomp profile defined by the {{< glossary_tooltip text="container runtime" term_id="container-runtime" >}} is applied.

`Localhost`
: The `localhostProfile` will be applied, which has to be available on the node disk (on Linux it's `/var/lib/kubelet/seccomp`).
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(aside) Feels relevant to #47425

@sftim sftim mentioned this pull request Sep 17, 2024
Merged
@saschagrunert saschagrunert force-pushed the seccomp branch 2 times, most recently from f5e1026 to f4d6cf1 Compare September 19, 2024 09:07
SergeyKanzhelev
SergeyKanzhelev approved these changes Sep 19, 2024
View reviewed changes
Copy link
Member

@SergeyKanzhelev SergeyKanzhelev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

one suggestion, but looks OK

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Sep 19, 2024
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: ffb06adca55b030ea95222024a79248a216719b2

@dipesh-rawat
Copy link
Member

@saschagrunert, what do you think of SergeyKanzhelev's suggestion?

@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 7, 2024
@saschagrunert
Copy link
Member Author

@dipesh-rawat I incorporated the requested changes. 👍

tengqm
tengqm reviewed Oct 8, 2024
View reviewed changes
content/en/docs/reference/node/seccomp.md Outdated Show resolved Hide resolved
content/en/docs/reference/node/seccomp.md Outdated Show resolved Hide resolved
content/en/docs/reference/node/seccomp.md Outdated Show resolved Hide resolved
content/en/docs/reference/node/seccomp.md Outdated Show resolved Hide resolved
content/en/docs/reference/node/seccomp.md Outdated Show resolved Hide resolved
@tengqm
Copy link
Contributor

tengqm commented Oct 8, 2024

/lgtm
Thanks.

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 8, 2024
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: ef91a36fe446b8ff5b7dac366cf39af471e3aad4

SergeyKanzhelev
SergeyKanzhelev approved these changes Oct 8, 2024
View reviewed changes
Copy link
Member

@SergeyKanzhelev SergeyKanzhelev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

dipesh-rawat
dipesh-rawat reviewed Oct 8, 2024
View reviewed changes
Copy link
Member

@dipesh-rawat dipesh-rawat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

/approve

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dipesh-rawat, SergeyKanzhelev

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 8, 2024
@k8s-ci-robot k8s-ci-robot merged commit 4585cc1 into kubernetes:main Oct 8, 2024
6 checks passed
@sftim
Copy link
Contributor

sftim commented Oct 8, 2024

@saschagrunert, I appreciate this improvement. Thank you.

@saschagrunert saschagrunert deleted the seccomp branch October 9, 2024 07:09
@windsonsea windsonsea mentioned this pull request Oct 10, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sftim sftim sftim left review comments

@dipesh-rawat dipesh-rawat dipesh-rawat left review comments

@tengqm tengqm tengqm left review comments

@SergeyKanzhelev SergeyKanzhelev SergeyKanzhelev approved these changes

@kbhawkey kbhawkey Awaiting requested review from kbhawkey

@mengjiao-liu mengjiao-liu Awaiting requested review from mengjiao-liu

Assignees

@tengqm tengqm

@SergeyKanzhelev SergeyKanzhelev

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. language/en Issues or PRs related to English language lgtm "Looks good to me", indicates that a PR is ready to be merged. sig/node Categorizes an issue or PR as relevant to SIG Node. sig/security Categorizes an issue or PR as relevant to SIG Security. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
SIG Node: code and documentation PRs
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add seccomp page for Node Reference Information
6 participants
@saschagrunert @sftim @k8s-ci-robot @dipesh-rawat @tengqm @SergeyKanzhelev