Bug 1390976 - [DOCS] Seccomp runtime/default does not work
Summary: [DOCS] Seccomp runtime/default does not work
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Documentation
Version: 3.4.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: ---
Assignee: Ashley Hardin
QA Contact: Weihua Meng
Vikram Goyal
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-11-02 10:49 UTC by Weihua Meng
Modified: 2020-04-15 14:47 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-03-15 19:46:18 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Weihua Meng 2016-11-02 10:49:43 UTC 
Description of problem:
Seccomp runtime/default does not work

Version-Release number of selected component (if applicable):
openshift v3.4.0.18+ada983f
kubernetes v1.4.0+776c994
etcd 3.1.0-rc.0

How reproducible:
Always

Steps to Reproduce:
1. configure the restricted SCC with:
seccompProfiles:
- runtime/default
2. oc login with normal user
3. create a pod 
oc create -f pod-sec-pod-default.yaml

cat pod-sec-pod-default.yaml
apiVersion: v1
kind: Pod
metadata:
  labels:
    name: pod-seccomp
  name: pod-seccomp-dafault-pod
  annotations:
    seccomp.security.alpha.kubernetes.io/pod: runtime/default
spec:
  containers:
    - image: "docker.io/deshuai/hello-pod:latest"
      imagePullPolicy: IfNotPresent
      name: hello-pod
      ports:
        - containerPort: 8080
          protocol: TCP
      resources: {}
      securityContext:
        capabilities: {}
        privileged: false
      terminationMessagePath: /dev/termination-log
      volumeMounts:
        - mountPath: /tmp
          name: tmp
  dnsPolicy: ClusterFirst
  restartPolicy: Always
  serviceAccount: ""
  volumes:
    - emptyDir: {}
      name: tmp
status: {}

Actual results:
[root@dhcp-128-70 seccomp]# oc create -f pod-sec-pod-default.yaml
The Pod "pod-seccomp-dafault-pod" is invalid: metadata.annotations.seccomp.security.alpha.kubernetes.io/pod: Invalid value: "runtime/default": must be a valid seccomp profile

Expected results:
pod created 
and default seccomp profile applied.
 
Additional info:
if docker/default used, it works.
Ref docs: https://docs.openshift.org/latest/admin_guide/seccomp.html
Comment 1 Jeff Peeler 2016-11-02 18:59:13 UTC 
I'm assuming that the text string of "runtime" is meant to be replaced by the particular container engine in use.

https://github.com/kubernetes/kubernetes/blob/59caf07228231c7c78aae66f9c1ad60e2c42fc29/pkg/api/validation/validation.go#L2122

Or is it?

https://github.com/kubernetes/kubernetes/blob/59caf07228231c7c78aae66f9c1ad60e2c42fc29/pkg/security/apparmor/helpers.go#L35
Comment 2 Paul Weil 2016-11-02 19:17:53 UTC 
update to the docs to point to docker/default which is what is being used in the validation.  https://github.com/openshift/openshift-docs/pull/3150
Comment 3 Jeff Peeler 2016-11-02 20:02:33 UTC 
Complementary kubernetes PR: https://github.com/kubernetes/kubernetes/pull/36086

(Closing as "not a bug" since it wasn't a coding issue.)
Comment 4 Weihua Meng 2016-11-03 01:50:41 UTC 
need verify this when doc PR merged.
Comment 5 Jeff Peeler 2017-03-02 15:48:53 UTC 
This finally merged just now here: https://github.com/kubernetes/community/pull/390
Comment 7 Weihua Meng 2017-03-15 05:56:06 UTC 
Verified with latest oc, openshift v3.5.0.52.
Now the actual behaviour and on-line doc are consistent.
"docker/default" is default instead of "runtime/default".
Fixed.
Comment 8 Ashley Hardin 2017-03-15 19:46:18 UTC 
Updates are now published:
https://access.redhat.com/documentation/en-us/openshift_container_platform/3.4/html/cluster_administration/admin-guide-seccomp#seccomp-configuring-openshift-for-seccomp
Note You need to log in before you can comment on or make changes to this bug.