From d62836f2ab8559048ed41b25e48054a0a63b1a2e Mon Sep 17 00:00:00 2001
From: Wang Zhen <lazybetrayer@gmail.com>
Date: Thu, 28 May 2020 05:02:02 +0800
Subject: [PATCH] Replace seccomp profile docker/default with runtime/default
(#6170)
Signed-off-by: Wang Zhen <lazybetrayer@gmail.com>
---
contrib/metallb/roles/provision/templates/metallb.yml.j2 | 4 ++--
.../ansible/templates/coredns-deployment.yml.j2 | 2 +-
roles/kubernetes-apps/ansible/templates/dns-autoscaler.yml.j2 | 2 +-
.../ansible/templates/netchecker-agent-hostnet-psp.yml.j2 | 4 ++--
roles/kubernetes-apps/cluster_roles/templates/psp.yml.j2 | 4 ++--
.../templates/psp-cephfs-provisioner.yml.j2 | 4 ++--
.../templates/local-path-storage-psp.yml.j2 | 4 ++--
.../templates/local-volume-provisioner-psp.yml.j2 | 4 ++--
.../rbd_provisioner/templates/psp-rbd-provisioner.yml.j2 | 4 ++--
.../ingress_nginx/templates/psp-ingress-nginx.yml.j2 | 4 ++--
.../templates/metrics-server-deployment.yaml.j2 | 2 +-
.../registry/templates/registry-proxy-psp.yml.j2 | 4 ++--
roles/kubernetes-apps/registry/templates/registry-psp.yml.j2 | 4 ++--
.../network_plugin/flannel/templates/cni-flannel-rbac.yml.j2 | 4 ++--
14 files changed, 25 insertions(+), 25 deletions(-)
diff --git a/contrib/metallb/roles/provision/templates/metallb.yml.j2 b/contrib/metallb/roles/provision/templates/metallb.yml.j2
index b2d6ce051..56186db87 100644
--- a/contrib/metallb/roles/provision/templates/metallb.yml.j2
+++ b/contrib/metallb/roles/provision/templates/metallb.yml.j2
@@ -61,8 +61,8 @@ kind: PodSecurityPolicy
metadata:
name: metallb
annotations:
- seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
- seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
+ seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
+ seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
{% if apparmor_enabled %}
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
diff --git a/roles/kubernetes-apps/ansible/templates/coredns-deployment.yml.j2 b/roles/kubernetes-apps/ansible/templates/coredns-deployment.yml.j2
index a75965acd..3517e472b 100644
--- a/roles/kubernetes-apps/ansible/templates/coredns-deployment.yml.j2
+++ b/roles/kubernetes-apps/ansible/templates/coredns-deployment.yml.j2
@@ -22,7 +22,7 @@ spec:
labels:
k8s-app: kube-dns{{ coredns_ordinal_suffix }}
annotations:
- seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
+ seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
spec:
priorityClassName: system-cluster-critical
nodeSelector:
diff --git a/roles/kubernetes-apps/ansible/templates/dns-autoscaler.yml.j2 b/roles/kubernetes-apps/ansible/templates/dns-autoscaler.yml.j2
index ce898a030..18b7227b8 100644
--- a/roles/kubernetes-apps/ansible/templates/dns-autoscaler.yml.j2
+++ b/roles/kubernetes-apps/ansible/templates/dns-autoscaler.yml.j2
@@ -31,7 +31,7 @@ spec:
k8s-app: dns-autoscaler{{ coredns_ordinal_suffix }}
annotations:
scheduler.alpha.kubernetes.io/critical-pod: ""
- seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
+ seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
spec:
priorityClassName: system-cluster-critical
securityContext:
diff --git a/roles/kubernetes-apps/ansible/templates/netchecker-agent-hostnet-psp.yml.j2 b/roles/kubernetes-apps/ansible/templates/netchecker-agent-hostnet-psp.yml.j2
index 9be7c84f7..21b397d12 100644
--- a/roles/kubernetes-apps/ansible/templates/netchecker-agent-hostnet-psp.yml.j2
+++ b/roles/kubernetes-apps/ansible/templates/netchecker-agent-hostnet-psp.yml.j2
@@ -4,8 +4,8 @@ kind: PodSecurityPolicy
metadata:
name: netchecker-agent-hostnet
annotations:
- seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
- seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
+ seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
+ seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
{% if apparmor_enabled %}
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
diff --git a/roles/kubernetes-apps/cluster_roles/templates/psp.yml.j2 b/roles/kubernetes-apps/cluster_roles/templates/psp.yml.j2
index 9245424cd..5da540041 100644
--- a/roles/kubernetes-apps/cluster_roles/templates/psp.yml.j2
+++ b/roles/kubernetes-apps/cluster_roles/templates/psp.yml.j2
@@ -4,8 +4,8 @@ kind: PodSecurityPolicy
metadata:
name: restricted
annotations:
- seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
- seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
+ seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
+ seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default'
{% if apparmor_enabled %}
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
diff --git a/roles/kubernetes-apps/external_provisioner/cephfs_provisioner/templates/psp-cephfs-provisioner.yml.j2 b/roles/kubernetes-apps/external_provisioner/cephfs_provisioner/templates/psp-cephfs-provisioner.yml.j2
index 291870c98..76d146cbb 100644
--- a/roles/kubernetes-apps/external_provisioner/cephfs_provisioner/templates/psp-cephfs-provisioner.yml.j2
+++ b/roles/kubernetes-apps/external_provisioner/cephfs_provisioner/templates/psp-cephfs-provisioner.yml.j2
@@ -4,8 +4,8 @@ kind: PodSecurityPolicy
metadata:
name: cephfs-provisioner
annotations:
- seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
- seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
+ seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
+ seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
{% if apparmor_enabled %}
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
diff --git a/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-psp.yml.j2 b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-psp.yml.j2
index 2b8c310c2..55d5adb17 100644
--- a/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-psp.yml.j2
+++ b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-psp.yml.j2
@@ -4,8 +4,8 @@ kind: PodSecurityPolicy
metadata:
name: local-path-provisioner
annotations:
- seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
- seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
+ seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
+ seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
{% if apparmor_enabled %}
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
diff --git a/roles/kubernetes-apps/external_provisioner/local_volume_provisioner/templates/local-volume-provisioner-psp.yml.j2 b/roles/kubernetes-apps/external_provisioner/local_volume_provisioner/templates/local-volume-provisioner-psp.yml.j2
index 6ec5601b2..10b4f6e15 100644
--- a/roles/kubernetes-apps/external_provisioner/local_volume_provisioner/templates/local-volume-provisioner-psp.yml.j2
+++ b/roles/kubernetes-apps/external_provisioner/local_volume_provisioner/templates/local-volume-provisioner-psp.yml.j2
@@ -4,8 +4,8 @@ kind: PodSecurityPolicy
metadata:
name: local-volume-provisioner
annotations:
- seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
- seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
+ seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
+ seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
{% if apparmor_enabled %}
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
diff --git a/roles/kubernetes-apps/external_provisioner/rbd_provisioner/templates/psp-rbd-provisioner.yml.j2 b/roles/kubernetes-apps/external_provisioner/rbd_provisioner/templates/psp-rbd-provisioner.yml.j2
index a314f0104..c59effdba 100644
--- a/roles/kubernetes-apps/external_provisioner/rbd_provisioner/templates/psp-rbd-provisioner.yml.j2
+++ b/roles/kubernetes-apps/external_provisioner/rbd_provisioner/templates/psp-rbd-provisioner.yml.j2
@@ -4,8 +4,8 @@ kind: PodSecurityPolicy
metadata:
name: rbd-provisioner
annotations:
- seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
- seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
+ seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
+ seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
{% if apparmor_enabled %}
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
diff --git a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/psp-ingress-nginx.yml.j2 b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/psp-ingress-nginx.yml.j2
index c83ea435c..903f26808 100644
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/psp-ingress-nginx.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/psp-ingress-nginx.yml.j2
@@ -4,8 +4,8 @@ kind: PodSecurityPolicy
metadata:
name: ingress-nginx
annotations:
- seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
- seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
+ seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
+ seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
{% if apparmor_enabled %}
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
diff --git a/roles/kubernetes-apps/metrics_server/templates/metrics-server-deployment.yaml.j2 b/roles/kubernetes-apps/metrics_server/templates/metrics-server-deployment.yaml.j2
index f08113d8d..dfe1e69ac 100644
--- a/roles/kubernetes-apps/metrics_server/templates/metrics-server-deployment.yaml.j2
+++ b/roles/kubernetes-apps/metrics_server/templates/metrics-server-deployment.yaml.j2
@@ -20,7 +20,7 @@ spec:
app.kubernetes.io/name: metrics-server
version: {{ metrics_server_version }}
annotations:
- seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
+ seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
spec:
priorityClassName: system-cluster-critical
serviceAccountName: metrics-server
diff --git a/roles/kubernetes-apps/registry/templates/registry-proxy-psp.yml.j2 b/roles/kubernetes-apps/registry/templates/registry-proxy-psp.yml.j2
index 20b108962..3a0233a2a 100644
--- a/roles/kubernetes-apps/registry/templates/registry-proxy-psp.yml.j2
+++ b/roles/kubernetes-apps/registry/templates/registry-proxy-psp.yml.j2
@@ -4,8 +4,8 @@ kind: PodSecurityPolicy
metadata:
name: registry-proxy
annotations:
- seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
- seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
+ seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
+ seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
{% if apparmor_enabled %}
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
diff --git a/roles/kubernetes-apps/registry/templates/registry-psp.yml.j2 b/roles/kubernetes-apps/registry/templates/registry-psp.yml.j2
index 5004cd821..b04d8c27a 100644
--- a/roles/kubernetes-apps/registry/templates/registry-psp.yml.j2
+++ b/roles/kubernetes-apps/registry/templates/registry-psp.yml.j2
@@ -4,8 +4,8 @@ kind: PodSecurityPolicy
metadata:
name: registry
annotations:
- seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
- seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
+ seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
+ seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
{% if apparmor_enabled %}
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
diff --git a/roles/network_plugin/flannel/templates/cni-flannel-rbac.yml.j2 b/roles/network_plugin/flannel/templates/cni-flannel-rbac.yml.j2
index ce4980ccb..bb55fd4da 100644
--- a/roles/network_plugin/flannel/templates/cni-flannel-rbac.yml.j2
+++ b/roles/network_plugin/flannel/templates/cni-flannel-rbac.yml.j2
@@ -10,8 +10,8 @@ kind: PodSecurityPolicy
metadata:
name: psp.flannel.unprivileged
annotations:
- seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default
- seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default
+ seccomp.security.alpha.kubernetes.io/allowedProfileNames: runtime/default
+ seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default
{% if podsecuritypolicy_enabled and apparmor_enabled %}
apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
--
GitLab