From 29b16c3fc00de7ce3145d5e5fbe7309782b444d0 Mon Sep 17 00:00:00 2001 From: Dalton Hubble Date: Thu, 10 Sep 2020 00:35:46 -0700 Subject: [PATCH] Change seccomp annotations to seccompProfile * seccomp graduated to GA in Kubernetes v1.19. Support for seccomp alpha annotations will be removed in v1.22 * Replace seccomp annotations with the GA seccompProfile field in the PodTemplate securityContext * Switch profile from `docker/default` to `runtime/default` (no effective change, since docker is the runtime) * Verify with docker inspect SecurityOpt. Without the profile, you'd see `seccomp=unconfined` Related: https://github.com/poseidon/terraform-render-bootstrap/pull/215 --- CHANGES.md | 1 + addons/grafana/deployment.yaml | 5 +++-- addons/nginx-ingress/aws/deployment.yaml | 5 +++-- addons/nginx-ingress/azure/deployment.yaml | 5 +++-- addons/nginx-ingress/bare-metal/deployment.yaml | 5 +++-- addons/nginx-ingress/digital-ocean/daemonset.yaml | 5 +++-- addons/nginx-ingress/google-cloud/deployment.yaml | 5 +++-- addons/prometheus/deployment.yaml | 5 +++-- .../prometheus/exporters/kube-state-metrics/deployment.yaml | 5 +++-- addons/prometheus/exporters/node-exporter/daemonset.yaml | 4 ++-- aws/container-linux/kubernetes/bootstrap.tf | 2 +- aws/fedora-coreos/kubernetes/bootstrap.tf | 2 +- azure/container-linux/kubernetes/bootstrap.tf | 2 +- azure/fedora-coreos/kubernetes/bootstrap.tf | 2 +- bare-metal/container-linux/kubernetes/bootstrap.tf | 2 +- bare-metal/fedora-coreos/kubernetes/bootstrap.tf | 2 +- digital-ocean/container-linux/kubernetes/bootstrap.tf | 2 +- digital-ocean/fedora-coreos/kubernetes/bootstrap.tf | 2 +- google-cloud/container-linux/kubernetes/bootstrap.tf | 2 +- google-cloud/fedora-coreos/kubernetes/bootstrap.tf | 2 +- 20 files changed, 37 insertions(+), 28 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index 1e87c161..3d133baa 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -5,6 +5,7 @@ Notable changes between versions. ## Latest * Kubernetes [v1.19.1](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.19.md#v1191) + * Change control plane seccomp annotations to GA `seccompProfile` ([#822](https://github.com/poseidon/typhoon/pull/822)) * Update Cilium from v1.8.2 to [v1.8.3](https://github.com/cilium/cilium/releases/tag/v1.8.3) * Update Calico from v1.15.2 to [v1.15.3](https://github.com/projectcalico/calico/releases/tag/v3.15.3) diff --git a/addons/grafana/deployment.yaml b/addons/grafana/deployment.yaml index 59de8a76..89e18454 100644 --- a/addons/grafana/deployment.yaml +++ b/addons/grafana/deployment.yaml @@ -18,9 +18,10 @@ spec: labels: name: grafana phase: prod - annotations: - seccomp.security.alpha.kubernetes.io/pod: 'docker/default' spec: + securityContext: + seccompProfile: + type: RuntimeDefault containers: - name: grafana image: docker.io/grafana/grafana:7.1.5 diff --git a/addons/nginx-ingress/aws/deployment.yaml b/addons/nginx-ingress/aws/deployment.yaml index e32bfb1c..f323016b 100644 --- a/addons/nginx-ingress/aws/deployment.yaml +++ b/addons/nginx-ingress/aws/deployment.yaml @@ -17,9 +17,10 @@ spec: labels: name: nginx-ingress-controller phase: prod - annotations: - seccomp.security.alpha.kubernetes.io/pod: 'docker/default' spec: + securityContext: + seccompProfile: + type: RuntimeDefault containers: - name: nginx-ingress-controller image: k8s.gcr.io/ingress-nginx/controller:v0.35.0 diff --git a/addons/nginx-ingress/azure/deployment.yaml b/addons/nginx-ingress/azure/deployment.yaml index e32bfb1c..f323016b 100644 --- a/addons/nginx-ingress/azure/deployment.yaml +++ b/addons/nginx-ingress/azure/deployment.yaml @@ -17,9 +17,10 @@ spec: labels: name: nginx-ingress-controller phase: prod - annotations: - seccomp.security.alpha.kubernetes.io/pod: 'docker/default' spec: + securityContext: + seccompProfile: + type: RuntimeDefault containers: - name: nginx-ingress-controller image: k8s.gcr.io/ingress-nginx/controller:v0.35.0 diff --git a/addons/nginx-ingress/bare-metal/deployment.yaml b/addons/nginx-ingress/bare-metal/deployment.yaml index be102c73..fdd9b270 100644 --- a/addons/nginx-ingress/bare-metal/deployment.yaml +++ b/addons/nginx-ingress/bare-metal/deployment.yaml @@ -17,9 +17,10 @@ spec: labels: name: nginx-ingress-controller phase: prod - annotations: - seccomp.security.alpha.kubernetes.io/pod: 'docker/default' spec: + securityContext: + seccompProfile: + type: RuntimeDefault containers: - name: nginx-ingress-controller image: k8s.gcr.io/ingress-nginx/controller:v0.35.0 diff --git a/addons/nginx-ingress/digital-ocean/daemonset.yaml b/addons/nginx-ingress/digital-ocean/daemonset.yaml index 2f26cf13..00c94576 100644 --- a/addons/nginx-ingress/digital-ocean/daemonset.yaml +++ b/addons/nginx-ingress/digital-ocean/daemonset.yaml @@ -17,9 +17,10 @@ spec: labels: name: nginx-ingress-controller phase: prod - annotations: - seccomp.security.alpha.kubernetes.io/pod: 'docker/default' spec: + securityContext: + seccompProfile: + type: RuntimeDefault containers: - name: nginx-ingress-controller image: k8s.gcr.io/ingress-nginx/controller:v0.35.0 diff --git a/addons/nginx-ingress/google-cloud/deployment.yaml b/addons/nginx-ingress/google-cloud/deployment.yaml index e32bfb1c..f323016b 100644 --- a/addons/nginx-ingress/google-cloud/deployment.yaml +++ b/addons/nginx-ingress/google-cloud/deployment.yaml @@ -17,9 +17,10 @@ spec: labels: name: nginx-ingress-controller phase: prod - annotations: - seccomp.security.alpha.kubernetes.io/pod: 'docker/default' spec: + securityContext: + seccompProfile: + type: RuntimeDefault containers: - name: nginx-ingress-controller image: k8s.gcr.io/ingress-nginx/controller:v0.35.0 diff --git a/addons/prometheus/deployment.yaml b/addons/prometheus/deployment.yaml index a0dbc483..5ffd82fc 100644 --- a/addons/prometheus/deployment.yaml +++ b/addons/prometheus/deployment.yaml @@ -14,9 +14,10 @@ spec: labels: name: prometheus phase: prod - annotations: - seccomp.security.alpha.kubernetes.io/pod: 'docker/default' spec: + securityContext: + seccompProfile: + type: RuntimeDefault serviceAccountName: prometheus containers: - name: prometheus diff --git a/addons/prometheus/exporters/kube-state-metrics/deployment.yaml b/addons/prometheus/exporters/kube-state-metrics/deployment.yaml index fb5389a5..6e4660b1 100644 --- a/addons/prometheus/exporters/kube-state-metrics/deployment.yaml +++ b/addons/prometheus/exporters/kube-state-metrics/deployment.yaml @@ -18,9 +18,10 @@ spec: labels: name: kube-state-metrics phase: prod - annotations: - seccomp.security.alpha.kubernetes.io/pod: 'docker/default' spec: + securityContext: + seccompProfile: + type: RuntimeDefault serviceAccountName: kube-state-metrics containers: - name: kube-state-metrics diff --git a/addons/prometheus/exporters/node-exporter/daemonset.yaml b/addons/prometheus/exporters/node-exporter/daemonset.yaml index 2a30c37b..b11fa5c6 100644 --- a/addons/prometheus/exporters/node-exporter/daemonset.yaml +++ b/addons/prometheus/exporters/node-exporter/daemonset.yaml @@ -17,13 +17,13 @@ spec: labels: name: node-exporter phase: prod - annotations: - seccomp.security.alpha.kubernetes.io/pod: 'docker/default' spec: serviceAccountName: node-exporter securityContext: runAsNonRoot: true runAsUser: 65534 + seccompProfile: + type: RuntimeDefault hostNetwork: true hostPID: true containers: diff --git a/aws/container-linux/kubernetes/bootstrap.tf b/aws/container-linux/kubernetes/bootstrap.tf index b8022873..55d718d0 100644 --- a/aws/container-linux/kubernetes/bootstrap.tf +++ b/aws/container-linux/kubernetes/bootstrap.tf @@ -1,6 +1,6 @@ # Kubernetes assets (kubeconfig, manifests) module "bootstrap" { - source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=c72826908bde6213789ece309aeba7e15806ce73" + source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=f2dd897d6765ffb56598f8a523f21d984da3a352" cluster_name = var.cluster_name api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)] diff --git a/aws/fedora-coreos/kubernetes/bootstrap.tf b/aws/fedora-coreos/kubernetes/bootstrap.tf index bac64f61..b30aa6f8 100644 --- a/aws/fedora-coreos/kubernetes/bootstrap.tf +++ b/aws/fedora-coreos/kubernetes/bootstrap.tf @@ -1,6 +1,6 @@ # Kubernetes assets (kubeconfig, manifests) module "bootstrap" { - source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=c72826908bde6213789ece309aeba7e15806ce73" + source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=f2dd897d6765ffb56598f8a523f21d984da3a352" cluster_name = var.cluster_name api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)] diff --git a/azure/container-linux/kubernetes/bootstrap.tf b/azure/container-linux/kubernetes/bootstrap.tf index 9734694e..8217ad64 100644 --- a/azure/container-linux/kubernetes/bootstrap.tf +++ b/azure/container-linux/kubernetes/bootstrap.tf @@ -1,6 +1,6 @@ # Kubernetes assets (kubeconfig, manifests) module "bootstrap" { - source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=c72826908bde6213789ece309aeba7e15806ce73" + source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=f2dd897d6765ffb56598f8a523f21d984da3a352" cluster_name = var.cluster_name api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)] diff --git a/azure/fedora-coreos/kubernetes/bootstrap.tf b/azure/fedora-coreos/kubernetes/bootstrap.tf index 66285851..9c6d4e36 100644 --- a/azure/fedora-coreos/kubernetes/bootstrap.tf +++ b/azure/fedora-coreos/kubernetes/bootstrap.tf @@ -1,6 +1,6 @@ # Kubernetes assets (kubeconfig, manifests) module "bootstrap" { - source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=c72826908bde6213789ece309aeba7e15806ce73" + source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=f2dd897d6765ffb56598f8a523f21d984da3a352" cluster_name = var.cluster_name api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)] diff --git a/bare-metal/container-linux/kubernetes/bootstrap.tf b/bare-metal/container-linux/kubernetes/bootstrap.tf index 3e2761a7..ef0e373e 100644 --- a/bare-metal/container-linux/kubernetes/bootstrap.tf +++ b/bare-metal/container-linux/kubernetes/bootstrap.tf @@ -1,6 +1,6 @@ # Kubernetes assets (kubeconfig, manifests) module "bootstrap" { - source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=c72826908bde6213789ece309aeba7e15806ce73" + source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=f2dd897d6765ffb56598f8a523f21d984da3a352" cluster_name = var.cluster_name api_servers = [var.k8s_domain_name] diff --git a/bare-metal/fedora-coreos/kubernetes/bootstrap.tf b/bare-metal/fedora-coreos/kubernetes/bootstrap.tf index f81ee857..15f4f022 100644 --- a/bare-metal/fedora-coreos/kubernetes/bootstrap.tf +++ b/bare-metal/fedora-coreos/kubernetes/bootstrap.tf @@ -1,6 +1,6 @@ # Kubernetes assets (kubeconfig, manifests) module "bootstrap" { - source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=c72826908bde6213789ece309aeba7e15806ce73" + source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=f2dd897d6765ffb56598f8a523f21d984da3a352" cluster_name = var.cluster_name api_servers = [var.k8s_domain_name] diff --git a/digital-ocean/container-linux/kubernetes/bootstrap.tf b/digital-ocean/container-linux/kubernetes/bootstrap.tf index 73c05fc5..4d305ed6 100644 --- a/digital-ocean/container-linux/kubernetes/bootstrap.tf +++ b/digital-ocean/container-linux/kubernetes/bootstrap.tf @@ -1,6 +1,6 @@ # Kubernetes assets (kubeconfig, manifests) module "bootstrap" { - source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=c72826908bde6213789ece309aeba7e15806ce73" + source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=f2dd897d6765ffb56598f8a523f21d984da3a352" cluster_name = var.cluster_name api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)] diff --git a/digital-ocean/fedora-coreos/kubernetes/bootstrap.tf b/digital-ocean/fedora-coreos/kubernetes/bootstrap.tf index 6292c06e..03c8ad5c 100644 --- a/digital-ocean/fedora-coreos/kubernetes/bootstrap.tf +++ b/digital-ocean/fedora-coreos/kubernetes/bootstrap.tf @@ -1,6 +1,6 @@ # Kubernetes assets (kubeconfig, manifests) module "bootstrap" { - source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=c72826908bde6213789ece309aeba7e15806ce73" + source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=f2dd897d6765ffb56598f8a523f21d984da3a352" cluster_name = var.cluster_name api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)] diff --git a/google-cloud/container-linux/kubernetes/bootstrap.tf b/google-cloud/container-linux/kubernetes/bootstrap.tf index f94c10c2..a23a401c 100644 --- a/google-cloud/container-linux/kubernetes/bootstrap.tf +++ b/google-cloud/container-linux/kubernetes/bootstrap.tf @@ -1,6 +1,6 @@ # Kubernetes assets (kubeconfig, manifests) module "bootstrap" { - source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=c72826908bde6213789ece309aeba7e15806ce73" + source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=f2dd897d6765ffb56598f8a523f21d984da3a352" cluster_name = var.cluster_name api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)] diff --git a/google-cloud/fedora-coreos/kubernetes/bootstrap.tf b/google-cloud/fedora-coreos/kubernetes/bootstrap.tf index ac91705f..93c2ed21 100644 --- a/google-cloud/fedora-coreos/kubernetes/bootstrap.tf +++ b/google-cloud/fedora-coreos/kubernetes/bootstrap.tf @@ -1,6 +1,6 @@ # Kubernetes assets (kubeconfig, manifests) module "bootstrap" { - source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=c72826908bde6213789ece309aeba7e15806ce73" + source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=f2dd897d6765ffb56598f8a523f21d984da3a352" cluster_name = var.cluster_name api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)]