Skip to content

Helm: Correct seccompProfile for cilium-agent pods #40476

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 14, 2025
Merged

Helm: Correct seccompProfile for cilium-agent pods #40476

merged 1 commit into from
Jul 14, 2025

Conversation

jcpunk
Copy link
Contributor

@jcpunk jcpunk commented Jul 10, 2025
edited
Loading

Please ensure your pull request adheres to the following guidelines:

  • For first time contributors, read Submitting a pull request
  • All code is covered by unit and/or runtime tests where feasible.
  • All commits contain a well written commit description including a title,
    description and a Fixes: #XXX line if the commit addresses a particular
    GitHub issue.
  • If your commit description contains a Fixes: <commit-id> tag, then
    please add the commit author[s] as reviewer[s] to this issue.
  • All commits are signed off. See the section Developer’s Certificate of Origin
  • Provide a title or release-note blurb suitable for the release notes.
  • Are you a user of Cilium? Please add yourself to the Users doc
  • Thanks for contributing!

Fixes: #39289

When kubernetes kubelet is configured with seccompDefault: true, the cilium-agent pods cannot start. The RuntimeDefault filter excludes the bpf syscalls preventing cilium-agent from starting.

@jcpunk jcpunk requested review from a team as code owners July 10, 2025 19:53
@jcpunk jcpunk requested review from marseel and gandro July 10, 2025 19:53
@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Jul 10, 2025
@github-actions github-actions bot added the kind/community-contribution This was a contribution made by a community member. label Jul 10, 2025
@squeed
Copy link
Contributor

squeed commented Jul 11, 2025

Makes sense.

Does this need to be backported?

@squeed
Copy link
Contributor

squeed commented Jul 11, 2025

/test

@squeed
Copy link
Contributor

squeed commented Jul 11, 2025

Note that the documentation needs to be updated. Look at the failing test for the details.

@jcpunk
Helm: Correct seccompProfile for cilium-agent pods
a26c8f5 
Fixes: cilium#39289

Signed-off-by: Pat Riehecky <riehecky@fnal.gov>
@jcpunk jcpunk force-pushed the seccompProfile-undefined branch from c773ca2 to a26c8f5 Compare July 11, 2025 14:15
@jcpunk
Copy link
Contributor Author

jcpunk commented Jul 11, 2025

Does this need to be backported?

I'd expect installations without this patch to fail to run.

@jcpunk
Copy link
Contributor Author

jcpunk commented Jul 11, 2025

I think I fixed up the doc.

@dylandreimerink
Copy link
Member

/test

@gandro
Copy link
Member

gandro commented Jul 14, 2025

/test

@gandro gandro added release-note/bug This PR fixes an issue in a previous release of Cilium. needs-backport/1.16 This PR / issue needs backporting to the v1.16 branch needs-backport/1.17 This PR / issue needs backporting to the v1.17 branch needs-backport/1.18 This PR / issue needs backporting to the v1.18 branch area/helm Impacts helm charts and user deployment experience labels Jul 14, 2025
@aanm aanm removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Jul 14, 2025
@aanm aanm added this pull request to the merge queue Jul 14, 2025
Merged via the queue into cilium:main with commit 2e6df08 Jul 14, 2025
68 checks passed
@github-actions github-actions bot added the backport-done/1.18 The backport for Cilium 1.18.x for this PR is done. label Jul 14, 2025
@nbusseneau nbusseneau mentioned this pull request Jul 18, 2025
Merged
23 tasks
@nbusseneau nbusseneau added backport-pending/1.18 The backport for Cilium 1.18.x for this PR is in progress. and removed backport-done/1.18 The backport for Cilium 1.18.x for this PR is done. needs-backport/1.18 This PR / issue needs backporting to the v1.18 branch labels Jul 18, 2025
@nbusseneau nbusseneau mentioned this pull request Jul 18, 2025
Merged
10 tasks
@nbusseneau nbusseneau added backport-pending/1.17 The backport for Cilium 1.17.x for this PR is in progress. and removed needs-backport/1.17 This PR / issue needs backporting to the v1.17 branch labels Jul 18, 2025
@nbusseneau nbusseneau mentioned this pull request Jul 18, 2025
Merged
5 tasks
@nbusseneau nbusseneau added backport-pending/1.16 The backport for Cilium 1.16.x for this PR is in progress. and removed needs-backport/1.16 This PR / issue needs backporting to the v1.16 branch backport-pending/1.18 The backport for Cilium 1.18.x for this PR is in progress. labels Jul 18, 2025
@nbusseneau
Copy link
Member

This was actually already in 1.18 prior to branching off.

@jcpunk jcpunk deleted the seccompProfile-undefined branch July 18, 2025 16:30
@github-actions github-actions bot added backport-done/1.16 The backport for Cilium 1.16.x for this PR is done. backport-done/1.17 The backport for Cilium 1.17.x for this PR is done. and removed backport-pending/1.16 The backport for Cilium 1.16.x for this PR is in progress. backport-pending/1.17 The backport for Cilium 1.17.x for this PR is in progress. labels Jul 21, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gandro gandro gandro approved these changes

@marseel marseel Awaiting requested review from marseel marseel is a code owner automatically assigned from cilium/sig-k8s

Assignees
No one assigned
Labels
area/helm Impacts helm charts and user deployment experience backport-done/1.16 The backport for Cilium 1.16.x for this PR is done. backport-done/1.17 The backport for Cilium 1.17.x for this PR is done. kind/community-contribution This was a contribution made by a community member. release-note/bug This PR fixes an issue in a previous release of Cilium.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

CFP: cilium pods compatible with kubelet setting seccompDefault
6 participants
@jcpunk @squeed @dylandreimerink @gandro @nbusseneau @aanm