Change seccomp annotations to seccompProfile

* seccomp graduated to GA in Kubernetes v1.19. Support for
seccomp alpha annotations will be removed in v1.22
* Replace seccomp annotations with the GA seccompProfile
field in the PodTemplate securityContext
* Switch profile from `docker/default` to `runtime/default`
(no effective change, since docker is the runtime)
* Verify with docker inspect SecurityOpt. Without the profile,
you'd see `seccomp=unconfined`

Related: https://github.com/poseidon/terraform-render-bootstrap/pull/215
This commit is contained in:
Dalton Hubble 2020-09-10 00:35:46 -07:00
parent 0c7a879bc4
commit 29b16c3fc0
20 changed files with 37 additions and 28 deletions

View File

@ -5,6 +5,7 @@ Notable changes between versions.
## Latest ## Latest
* Kubernetes [v1.19.1](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.19.md#v1191) * Kubernetes [v1.19.1](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.19.md#v1191)
* Change control plane seccomp annotations to GA `seccompProfile` ([#822](https://github.com/poseidon/typhoon/pull/822))
* Update Cilium from v1.8.2 to [v1.8.3](https://github.com/cilium/cilium/releases/tag/v1.8.3) * Update Cilium from v1.8.2 to [v1.8.3](https://github.com/cilium/cilium/releases/tag/v1.8.3)
* Update Calico from v1.15.2 to [v1.15.3](https://github.com/projectcalico/calico/releases/tag/v3.15.3) * Update Calico from v1.15.2 to [v1.15.3](https://github.com/projectcalico/calico/releases/tag/v3.15.3)

View File

@ -18,9 +18,10 @@ spec:
labels: labels:
name: grafana name: grafana
phase: prod phase: prod
annotations:
seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
spec: spec:
securityContext:
seccompProfile:
type: RuntimeDefault
containers: containers:
- name: grafana - name: grafana
image: docker.io/grafana/grafana:7.1.5 image: docker.io/grafana/grafana:7.1.5

View File

@ -17,9 +17,10 @@ spec:
labels: labels:
name: nginx-ingress-controller name: nginx-ingress-controller
phase: prod phase: prod
annotations:
seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
spec: spec:
securityContext:
seccompProfile:
type: RuntimeDefault
containers: containers:
- name: nginx-ingress-controller - name: nginx-ingress-controller
image: k8s.gcr.io/ingress-nginx/controller:v0.35.0 image: k8s.gcr.io/ingress-nginx/controller:v0.35.0

View File

@ -17,9 +17,10 @@ spec:
labels: labels:
name: nginx-ingress-controller name: nginx-ingress-controller
phase: prod phase: prod
annotations:
seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
spec: spec:
securityContext:
seccompProfile:
type: RuntimeDefault
containers: containers:
- name: nginx-ingress-controller - name: nginx-ingress-controller
image: k8s.gcr.io/ingress-nginx/controller:v0.35.0 image: k8s.gcr.io/ingress-nginx/controller:v0.35.0

View File

@ -17,9 +17,10 @@ spec:
labels: labels:
name: nginx-ingress-controller name: nginx-ingress-controller
phase: prod phase: prod
annotations:
seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
spec: spec:
securityContext:
seccompProfile:
type: RuntimeDefault
containers: containers:
- name: nginx-ingress-controller - name: nginx-ingress-controller
image: k8s.gcr.io/ingress-nginx/controller:v0.35.0 image: k8s.gcr.io/ingress-nginx/controller:v0.35.0

View File

@ -17,9 +17,10 @@ spec:
labels: labels:
name: nginx-ingress-controller name: nginx-ingress-controller
phase: prod phase: prod
annotations:
seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
spec: spec:
securityContext:
seccompProfile:
type: RuntimeDefault
containers: containers:
- name: nginx-ingress-controller - name: nginx-ingress-controller
image: k8s.gcr.io/ingress-nginx/controller:v0.35.0 image: k8s.gcr.io/ingress-nginx/controller:v0.35.0

View File

@ -17,9 +17,10 @@ spec:
labels: labels:
name: nginx-ingress-controller name: nginx-ingress-controller
phase: prod phase: prod
annotations:
seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
spec: spec:
securityContext:
seccompProfile:
type: RuntimeDefault
containers: containers:
- name: nginx-ingress-controller - name: nginx-ingress-controller
image: k8s.gcr.io/ingress-nginx/controller:v0.35.0 image: k8s.gcr.io/ingress-nginx/controller:v0.35.0

View File

@ -14,9 +14,10 @@ spec:
labels: labels:
name: prometheus name: prometheus
phase: prod phase: prod
annotations:
seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
spec: spec:
securityContext:
seccompProfile:
type: RuntimeDefault
serviceAccountName: prometheus serviceAccountName: prometheus
containers: containers:
- name: prometheus - name: prometheus

View File

@ -18,9 +18,10 @@ spec:
labels: labels:
name: kube-state-metrics name: kube-state-metrics
phase: prod phase: prod
annotations:
seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
spec: spec:
securityContext:
seccompProfile:
type: RuntimeDefault
serviceAccountName: kube-state-metrics serviceAccountName: kube-state-metrics
containers: containers:
- name: kube-state-metrics - name: kube-state-metrics

View File

@ -17,13 +17,13 @@ spec:
labels: labels:
name: node-exporter name: node-exporter
phase: prod phase: prod
annotations:
seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
spec: spec:
serviceAccountName: node-exporter serviceAccountName: node-exporter
securityContext: securityContext:
runAsNonRoot: true runAsNonRoot: true
runAsUser: 65534 runAsUser: 65534
seccompProfile:
type: RuntimeDefault
hostNetwork: true hostNetwork: true
hostPID: true hostPID: true
containers: containers:

View File

@ -1,6 +1,6 @@
# Kubernetes assets (kubeconfig, manifests) # Kubernetes assets (kubeconfig, manifests)
module "bootstrap" { module "bootstrap" {
source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=c72826908bde6213789ece309aeba7e15806ce73" source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=f2dd897d6765ffb56598f8a523f21d984da3a352"
cluster_name = var.cluster_name cluster_name = var.cluster_name
api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)] api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)]

View File

@ -1,6 +1,6 @@
# Kubernetes assets (kubeconfig, manifests) # Kubernetes assets (kubeconfig, manifests)
module "bootstrap" { module "bootstrap" {
source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=c72826908bde6213789ece309aeba7e15806ce73" source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=f2dd897d6765ffb56598f8a523f21d984da3a352"
cluster_name = var.cluster_name cluster_name = var.cluster_name
api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)] api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)]

View File

@ -1,6 +1,6 @@
# Kubernetes assets (kubeconfig, manifests) # Kubernetes assets (kubeconfig, manifests)
module "bootstrap" { module "bootstrap" {
source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=c72826908bde6213789ece309aeba7e15806ce73" source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=f2dd897d6765ffb56598f8a523f21d984da3a352"
cluster_name = var.cluster_name cluster_name = var.cluster_name
api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)] api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)]

View File

@ -1,6 +1,6 @@
# Kubernetes assets (kubeconfig, manifests) # Kubernetes assets (kubeconfig, manifests)
module "bootstrap" { module "bootstrap" {
source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=c72826908bde6213789ece309aeba7e15806ce73" source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=f2dd897d6765ffb56598f8a523f21d984da3a352"
cluster_name = var.cluster_name cluster_name = var.cluster_name
api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)] api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)]

View File

@ -1,6 +1,6 @@
# Kubernetes assets (kubeconfig, manifests) # Kubernetes assets (kubeconfig, manifests)
module "bootstrap" { module "bootstrap" {
source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=c72826908bde6213789ece309aeba7e15806ce73" source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=f2dd897d6765ffb56598f8a523f21d984da3a352"
cluster_name = var.cluster_name cluster_name = var.cluster_name
api_servers = [var.k8s_domain_name] api_servers = [var.k8s_domain_name]

View File

@ -1,6 +1,6 @@
# Kubernetes assets (kubeconfig, manifests) # Kubernetes assets (kubeconfig, manifests)
module "bootstrap" { module "bootstrap" {
source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=c72826908bde6213789ece309aeba7e15806ce73" source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=f2dd897d6765ffb56598f8a523f21d984da3a352"
cluster_name = var.cluster_name cluster_name = var.cluster_name
api_servers = [var.k8s_domain_name] api_servers = [var.k8s_domain_name]

View File

@ -1,6 +1,6 @@
# Kubernetes assets (kubeconfig, manifests) # Kubernetes assets (kubeconfig, manifests)
module "bootstrap" { module "bootstrap" {
source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=c72826908bde6213789ece309aeba7e15806ce73" source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=f2dd897d6765ffb56598f8a523f21d984da3a352"
cluster_name = var.cluster_name cluster_name = var.cluster_name
api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)] api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)]

View File

@ -1,6 +1,6 @@
# Kubernetes assets (kubeconfig, manifests) # Kubernetes assets (kubeconfig, manifests)
module "bootstrap" { module "bootstrap" {
source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=c72826908bde6213789ece309aeba7e15806ce73" source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=f2dd897d6765ffb56598f8a523f21d984da3a352"
cluster_name = var.cluster_name cluster_name = var.cluster_name
api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)] api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)]

View File

@ -1,6 +1,6 @@
# Kubernetes assets (kubeconfig, manifests) # Kubernetes assets (kubeconfig, manifests)
module "bootstrap" { module "bootstrap" {
source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=c72826908bde6213789ece309aeba7e15806ce73" source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=f2dd897d6765ffb56598f8a523f21d984da3a352"
cluster_name = var.cluster_name cluster_name = var.cluster_name
api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)] api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)]

View File

@ -1,6 +1,6 @@
# Kubernetes assets (kubeconfig, manifests) # Kubernetes assets (kubeconfig, manifests)
module "bootstrap" { module "bootstrap" {
source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=c72826908bde6213789ece309aeba7e15806ce73" source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=f2dd897d6765ffb56598f8a523f21d984da3a352"
cluster_name = var.cluster_name cluster_name = var.cluster_name
api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)] api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)]