Bug 1767269

Summary: [RFE] Seccomp profile should be enabled by default
Product: OpenShift Container Platform Reporter: Tsai Li Ming <ltsai>
Component: openshift-apiserverAssignee: Stefan Schimanski <sttts>
Status: CLOSED UPSTREAM QA Contact: Xingxing Xia <xxia>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 4.1.zCC: aos-bugs, eparis, jialiu, jokerman, mfojtik, mharri, nstielau, pweil, sfowler, sreber, wsun, xtian, xxia
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-11-06 13:25:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tsai Li Ming 2019-10-31 03:11:19 UTC
Description of problem:
Seccomp should be enabled by default in restricted SCC.

$ oc version
Client Version: openshift-clients-4.2.0-201910041700
Server Version: 4.1.20
Kubernetes Version: v1.13.4+520769a

$  oc describe scc restricted | grep Seccomp
  Allowed Seccomp Profiles: <none>

$ oc describe scc privileged | grep Seccomp
  Allowed Seccomp Profiles:			*

Version-Release number of selected component (if applicable):
4.1.Z. Should affect 4.2.z too.

How reproducible:

Always

Steps to Reproduce:
1.
2.
3.

Actual results:
Not enabled in restricted SCC.

Expected results:
Should be enabled in restricted SCC.

Additional info:

Comment 2 Sam Fowler 2019-10-31 04:11:49 UTC
Kubernetes seccomp enhancement:

https://github.com/kubernetes/enhancements/issues/135

Comment 3 Paul Weil 2019-10-31 18:38:52 UTC
Historical note:  This is definitely something worth thinking about again but one item of difficulty is that this is not a backwards compatible change.  While the default seccomp profile may work for *most* users it also runs the risk of breaking existing workloads unexpectedly. 

This is also noted in the (now closed) upstream issue https://github.com/kubernetes/kubernetes/issues/39845

The current upstream seccomp issue (https://github.com/kubernetes/kubernetes/issues/81115) proposes the following steps to help alleviate the concern:

> 1. Make seccomp GA (kubernetes/enhancements#1148)
> 2. Define the default profile in Kubernetes (requires profile representation in k8s)
> 3. Implement a "complain mode" so issues can be detected before enabling

https://github.com/kubernetes/kubernetes/issues/81115#issuecomment-520549317

upstream KEP: https://github.com/kubernetes/enhancements/pull/1257