Add seccomp default feature blog post #28951
Conversation
k8s-ci-robot
added
do-not-merge/hold
k8s-ci-robot
added
language/en
|
✔️ Deploy Preview for kubernetes-io-main-staging ready! 🔨 Explore the source changes: 84e472e 🔍 Inspect the deploy log: https://app.netlify.com/sites/kubernetes-io-main-staging/deploys/61249698af684100079246d8 😎 Browse the preview: https://deploy-preview-28951--kubernetes-io-main-staging.netlify.app |
saschagrunert
force-pushed
the
seccomp-default-blog
branch
from
4223285
to
e730a28
Compare
saschagrunert
force-pushed
the
seccomp-default-blog
branch
from
e730a28
to
6d4653b
Compare
saschagrunert
force-pushed
the
seccomp-default-blog
branch
2 times, most recently
from
0c9aa66
to
3919f2d
Compare
|
Looks good to review and I don't see a need for a hold (the article is future dated, to a date after the scheduled release). /hold cancel |
k8s-ci-robot
removed
the
do-not-merge/hold
|
Any more feedback or is this OK for LGTM? |
|
i gave this a read way back, LGTM from my side |
saschagrunert
force-pushed
the
seccomp-default-blog
branch
2 times, most recently
from
1480b9c
to
0106220
Compare
saschagrunert
force-pushed
the
seccomp-default-blog
branch
2 times, most recently
from
36dca2e
to
d64aa11
Compare
Thank you! I addressed all of the review comments. |
k8s-ci-robot
added
the
do-not-merge/hold
From my point of view the open discussion point has been resolved. Are we good to merge? |
|
@saschagrunert can you point to a signoff that confirms what this PR is saying is technically correct? If that were available, I'd be happy to approve it right away. |
|
@PushkarJ are you willing to add /lgtm here? |
I only have source code, container runtimes basically do nothing on privileged containers: CRI-O behaves in the same way. |
|
From the blog team's perspective, we're looking for a subject matter expert (or someone who is expert enough) to check technical accuracy. SIG Docs can't promise to have the skills for this. |
| - name: test-container-nginx | ||
| image: nginx:1.21 | ||
| securityContext: | ||
| seccompProfile: |
There was a problem hiding this comment.
Thank you for making this change
| [strace][strace]) for any executed syscalls which may be blocked by the | ||
| default profiles. If that's the case, then you can create a custom seccomp | ||
| profile based on the default by adding the additional syscalls to the | ||
| `"action": "SCMP_ACT_ALLOW"` section. |
saschagrunert
force-pushed
the
seccomp-default-blog
branch
2 times, most recently
from
bf7aede
to
3f8b8fc
Compare
|
Thank you @saschagrunert for patiently resolving all the comments. Looking forward to this blog post and more people using the feature as a result of that :) /lgtm |
k8s-ci-robot
added
the
lgtm
|
LGTM label has been added. Git tree hash: edb48bb7299357c2ce0983dc6863e10171ff0205
|
This adds the blog post about the new Kubernetes `SeccompDefault` alpha feature. Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
saschagrunert
force-pushed
the
seccomp-default-blog
branch
from
3f8b8fc
to
84e472e
Compare
k8s-ci-robot
removed
the
lgtm
|
/hold cancel borrowing LGTM from #28951 (comment) |
k8s-ci-robot
removed
the
do-not-merge/hold
k8s-ci-robot
added
the
lgtm
|
LGTM label has been added. Git tree hash: ad9c7b7f6f8cd1357b08fc08e1e5aeea81ad8519
|
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: sftim The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
This adds the blog post about the new Kubernetes
SeccompDefaultalpha feature./hold
cc @PI-Victor @pmmalinov01 @ashnehete @carlisia @chrisnegus @ritpanjw
Todo