-
Notifications
You must be signed in to change notification settings - Fork 38.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Non existing localhostProfile Seccomp profile is not applied on Kubernetes nodes >= 1.28 #124944
Comments
This issue is currently awaiting triage. If a SIG or subproject determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
/sig node security |
/assign |
hi @MetalPinguinInc , if you use
use
I guess this is caused by different container runtimes, and your cri should be docker |
hi @chengjoey on my own baremetal clusters I am indeed running Docker with containerd as the container runtime and cri-dockerd as a shim between Kubernetes and Docker. I can indeed confirm that using containerd as the runtime directly, seems to correctly throw the error in minikube. This has left me confused. Without using the
I am slightly confused by the terminology here: Kubernetes can run on both Docker (in which case you also need cri-dockerd) and Containerd, but Docker uses containerd as its container runtime anyway. When I started using Kubernetes only Docker was used, is there any reason to still have docker in the mix or is this mostly still supported for backwards compatibility and is using containerd with kubernetes directly a more streamlined approach? In anycase, could it be that the issue lies in how Kubernetes communicates security options to Docker in versions >= 1.28? Since the Docker version is the same between 1.28 and 1.27 it seems unlikely that this is a issue in Docker. |
It sounds like this is an issue with cri-dockerd, not kubernetes. I'd be curious how cri-o handles it, but if you wish to keep using cri-dockerd and want this situation fixed, I recommend opening an issue with them. /close please reopen if you think there's something wrong with kubernetes :) |
@haircommander: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
What happened?
I am running 2 clusters, 1 is still on 1.26 and the other is on 1.29.5. I tried to apply a custom seccomp profile to a pod on 1.29.5 and noticed it did not seem to work. While trying to pin-point the issue, I found out that applying a custom seccomp profile that does not exist (i.e. the file does not exist on the node) to a pod on a kubernetes node below 1.28 fails to start the pod, with an error:
However, when trying to do the same on a kubernetes node >= 1.28 incorrectly starts the pod, with no mention of the seccomp profile file not being found or being invalid. Although I used minikube to reproduce this bug, I observed it first on a bare metal installation.
What did you expect to happen?
I expect a pod not to start when the seccomp profile cannot be loaded.
How can we reproduce it (as minimally and precisely as possible)?
Observe that the pod does not start and gives an error:
Observe that the pod has started without any errors.
audit-pod.yaml:
Anything else we need to know?
No response
Kubernetes version
Version that errors on invalid seccomp profile:
Version that does not error:
Cloud provider
OS version
Install tools
Container runtime (CRI) and version (if applicable)
Related plugins (CNI, CSI, ...) and versions (if applicable)
The text was updated successfully, but these errors were encountered: