Allow plain annotation seccomp-profile.kubernetes.cri-o.io for images

We now additionally allow the plain `seccomp-profile.kubernetes.cri-o.io` annotation for container images, to not require users to suffix the annotation using `/POD` or a container name. Signed-off-by: Sascha Grunert <[email protected]>
mrniranjan · Feb 20, 2024 · 6bd4f68 · 6bd4f68
1 parent 87ff09f
commit 6bd4f68
Show file tree

Hide file tree

Showing 7 changed files with 30 additions and 0 deletions.
diff --git a/contrib/test/ci/vars.yml b/contrib/test/ci/vars.yml
@@ -159,6  159,7 @@ kata_skip_pod_tests:
 kata_skip_seccomp_oci_artifacts_tests:
   - 'test "seccomp OCI artifact with pod annotation"'
   - 'test "seccomp OCI artifact with container annotation"'
   - 'test "seccomp OCI artifact with image annotation without suffix"'
   - 'test "seccomp OCI artifact with image annotation for pod"'
   - 'test "seccomp OCI artifact with image annotation for container"'
   - 'test "seccomp OCI artifact with image annotation and profile set to unconfined"'

diff --git a/docs/crio.conf.5.md b/docs/crio.conf.5.md
@@ -359,6  359,8 @@ The "crio.runtime.runtimes" table defines a list of OCI compatible runtimes.  Th
     - a specific container by using: "seccomp-profile.kubernetes.cri-o.io/<CONTAINER_NAME>"
     - a whole pod by using: "seccomp-profile.kubernetes.cri-o.io/POD"
     Note that the annotation works on containers as well as on images.
     For images, the plain annotation `seccomp-profile.kubernetes.cri-o.io`
     can be used without the required `/POD` suffix or a container name.
 
 **platform_runtime_paths**={}
   A mapping of platforms to the corresponding runtime executable paths for the runtime handler.

diff --git a/internal/config/seccomp/seccompociartifact/seccompociartifact.go b/internal/config/seccomp/seccompociartifact/seccompociartifact.go
@@ -49,6  49,9 @@ func (s *SeccompOCIArtifact) TryPull(
 	} else if val, ok := podAnnotations[SeccompProfilePodAnnotation]; ok {
 		log.Infof(ctx, "Found pod specific seccomp profile annotation: %s=%s", annotations.SeccompProfileAnnotation, val)
 		profileRef = val
 	} else if val, ok := imageAnnotations[annotations.SeccompProfileAnnotation]; ok {
 		log.Infof(ctx, "Found image specific seccomp profile annotation: %s=%s", annotations.SeccompProfileAnnotation, val)
 		profileRef = val
 	} else if val, ok := imageAnnotations[containerKey]; ok {
 		log.Infof(ctx, "Found image specific seccomp profile annotation for container %s: %s=%s", containerName, annotations.SeccompProfileAnnotation, val)
 		profileRef = val

diff --git a/pkg/annotations/annotations.go b/pkg/annotations/annotations.go
@@ -77,6  77,8 @@ const (
 	// - a specific container by using: `seccomp-profile.kubernetes.cri-o.io/<CONTAINER_NAME>`
 	// - a whole pod by using: `seccomp-profile.kubernetes.cri-o.io/POD`
 	// Note that the annotation works on containers as well as on images.
 	// For images, the plain annotation `seccomp-profile.kubernetes.cri-o.io`
 	// can be used without the required `/POD` suffix or a container name.
 	SeccompProfileAnnotation = "seccomp-profile.kubernetes.cri-o.io"
 )
 

diff --git a/pkg/config/config.go b/pkg/config/config.go
@@ -210,6  210,8 @@ type RuntimeHandler struct {
 	//   - a specific container by using: `seccomp-profile.kubernetes.cri-o.io/<CONTAINER_NAME>`
 	//   - a whole pod by using: `seccomp-profile.kubernetes.cri-o.io/POD`
 	//   Note that the annotation works on containers as well as on images.
 	//   For images, the plain annotation `seccomp-profile.kubernetes.cri-o.io`
 	//   can be used without the required `/POD` suffix or a container name.
 	AllowedAnnotations []string `toml:"allowed_annotations,omitempty"`
 
 	// DisallowedAnnotations is the slice of experimental annotations that are not allowed for this handler.

diff --git a/pkg/config/template.go b/pkg/config/template.go
@@ -1269,6  1269,8 @@ const templateStringCrioRuntimeRuntimesRuntimeHandler = `# The "crio.runtime.run
 #     - a specific container by using: "seccomp-profile.kubernetes.cri-o.io/<CONTAINER_NAME>"
 #     - a whole pod by using: "seccomp-profile.kubernetes.cri-o.io/POD"
 #     Note that the annotation works on containers as well as on images.
 #     For images, the plain annotation "seccomp-profile.kubernetes.cri-o.io"
 #     can be used without the required "/POD" suffix or a container name.
 # - monitor_path (optional, string): The path of the monitor binary. Replaces
 #   deprecated option "conmon".
 # - monitor_cgroup (optional, string): The cgroup the container monitor process will be put in.

diff --git a/test/seccomp_oci_artifacts.bats b/test/seccomp_oci_artifacts.bats
@@ -16,6  16,7 @@ function teardown() {
 	cleanup_test
 }
 
 ARTIFACT_IMAGE_WITH_ANNOTATION=quay.io/crio/nginx-seccomp:generic
 ARTIFACT_IMAGE_WITH_POD_ANNOTATION=quay.io/crio/nginx-seccomp:pod
 ARTIFACT_IMAGE_WITH_CONTAINER_ANNOTATION=quay.io/crio/nginx-seccomp:container
 ARTIFACT_IMAGE=quay.io/crio/seccomp:v1
@@ -24,6  25,23 @@ ANNOTATION=seccomp-profile.kubernetes.cri-o.io
 POD_ANNOTATION=seccomp-profile.kubernetes.cri-o.io/POD
 TEST_SYSCALL=OCI_ARTIFACT_TEST
 
 @test "seccomp OCI artifact with image annotation without suffix" {
 	# Run with enabled feature set
 	create_runtime_with_allowed_annotation seccomp $ANNOTATION
 	start_crio
 
 	jq '.image.image = "'$ARTIFACT_IMAGE_WITH_ANNOTATION'"' \
 		"$TESTDATA/container_config.json" > "$TESTDIR/container.json"
 
 	crictl pull $ARTIFACT_IMAGE_WITH_ANNOTATION
 	CTR=$(crictl run "$TESTDIR/container.json" "$TESTDATA/sandbox_config.json")
 
 	# Assert
 	grep -q "Found image specific seccomp profile annotation: $ANNOTATION=$ARTIFACT_IMAGE" "$CRIO_LOG"
 	grep -q "Retrieved OCI artifact seccomp profile" "$CRIO_LOG"
 	crictl inspect "$CTR" | jq -e .info.runtimeSpec.linux.seccomp | grep -q $TEST_SYSCALL
 }
 
 @test "seccomp OCI artifact with image annotation for pod" {
 	# Run with enabled feature set
 	create_runtime_with_allowed_annotation seccomp $ANNOTATION