Use the "runtime default" seccomp profile #3629
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
e3d2428 to
41795ce
Compare
Codecov Report
📣 This organization is not using Codecov’s GitHub App Integration. We recommend you install it so Codecov can continue to function properly for your repositories. Learn more @@ Coverage Diff @@
## main #3629 +/- ##
==========================================
+ Coverage 52.21% 52.23% +0.02%
==========================================
Files 59 59
Lines 16877 16877
==========================================
+ Hits 8812 8816 +4
+ Misses 7768 7766 -2
+ Partials 297 295 -2 see 1 file with indirect coverage changes 📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more |
62f1e1d to
23d3df0
Compare
lucacome
reviewed
Mar 10, 2023
deployments/helm-chart-dos-arbitrator/templates/controller-deployment.yaml
Outdated
Show resolved
Hide resolved
04131cc to
0ad9840
Compare
lucacome
approved these changes
Mar 14, 2023
0ad9840 to
7213349
Compare
jjngx
approved these changes
Mar 14, 2023
seccomp profiles allow sandboxing processes, in particular to restrict allowed syscalls from applications to the kernel. Kubernetes default in current release is Unconfined seccomp profile, which is essentially privileged. It is preferred for security purposes to restrict this. KEP-2413 proposes that RuntimeDefault will become the new default for Kubernetes. With Kubernetes v1.25, this is in Beta, and available with `SeccompDefault` feature gate and `--seccomp-default` CLI flag. `nginx-ingress` should switch to this new default, in order to ensure compatibility down the line, as well as enable enhanced security on older Kubernetes versions. Co-authored-by: Christian Ihle <blurpy@users.noreply.github.com>
7213349 to
dee411a
Compare
|
@sigv This looks good. Tested the PR against edge with success! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Proposed changes
seccomp profiles allow sandboxing processes, in particular to restrict allowed syscalls from applications to the kernel. Kubernetes default in current release is Unconfined seccomp profile, which is essentially privileged. It is preferred for security purposes to restrict this.
KEP-2413 proposes that RuntimeDefault will become the new default for Kubernetes. With Kubernetes v1.25, this is in Beta, and available with
SeccompDefaultfeature gate and--seccomp-defaultCLI flag.nginx-ingressshould switch to this new default, in order to ensure compatibility down the line, as well as enable enhanced security on older Kubernetes versions.This improves on #3544 as reported by @blurpy.
Checklist
Before creating a PR, run through this checklist and mark each as complete.