From d62836f2ab8559048ed41b25e48054a0a63b1a2e Mon Sep 17 00:00:00 2001 From: Wang Zhen Date: Thu, 28 May 2020 05:02:02 +0800 Subject: [PATCH] Replace seccomp profile docker/default with runtime/default (#6170) Signed-off-by: Wang Zhen --- contrib/metallb/roles/provision/templates/metallb.yml.j2 | 4 ++-- .../ansible/templates/coredns-deployment.yml.j2 | 2 +- roles/kubernetes-apps/ansible/templates/dns-autoscaler.yml.j2 | 2 +- .../ansible/templates/netchecker-agent-hostnet-psp.yml.j2 | 4 ++-- roles/kubernetes-apps/cluster_roles/templates/psp.yml.j2 | 4 ++-- .../templates/psp-cephfs-provisioner.yml.j2 | 4 ++-- .../templates/local-path-storage-psp.yml.j2 | 4 ++-- .../templates/local-volume-provisioner-psp.yml.j2 | 4 ++-- .../rbd_provisioner/templates/psp-rbd-provisioner.yml.j2 | 4 ++-- .../ingress_nginx/templates/psp-ingress-nginx.yml.j2 | 4 ++-- .../templates/metrics-server-deployment.yaml.j2 | 2 +- .../registry/templates/registry-proxy-psp.yml.j2 | 4 ++-- roles/kubernetes-apps/registry/templates/registry-psp.yml.j2 | 4 ++-- .../network_plugin/flannel/templates/cni-flannel-rbac.yml.j2 | 4 ++-- 14 files changed, 25 insertions(+), 25 deletions(-) diff --git a/contrib/metallb/roles/provision/templates/metallb.yml.j2 b/contrib/metallb/roles/provision/templates/metallb.yml.j2 index b2d6ce051..56186db87 100644 --- a/contrib/metallb/roles/provision/templates/metallb.yml.j2 +++ b/contrib/metallb/roles/provision/templates/metallb.yml.j2 @@ -61,8 +61,8 @@ kind: PodSecurityPolicy metadata: name: metallb annotations: - seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' - seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default' + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default' + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default' {% if apparmor_enabled %} apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' diff --git a/roles/kubernetes-apps/ansible/templates/coredns-deployment.yml.j2 b/roles/kubernetes-apps/ansible/templates/coredns-deployment.yml.j2 index a75965acd..3517e472b 100644 --- a/roles/kubernetes-apps/ansible/templates/coredns-deployment.yml.j2 +++ b/roles/kubernetes-apps/ansible/templates/coredns-deployment.yml.j2 @@ -22,7 +22,7 @@ spec: labels: k8s-app: kube-dns{{ coredns_ordinal_suffix }} annotations: - seccomp.security.alpha.kubernetes.io/pod: 'docker/default' + seccomp.security.alpha.kubernetes.io/pod: 'runtime/default' spec: priorityClassName: system-cluster-critical nodeSelector: diff --git a/roles/kubernetes-apps/ansible/templates/dns-autoscaler.yml.j2 b/roles/kubernetes-apps/ansible/templates/dns-autoscaler.yml.j2 index ce898a030..18b7227b8 100644 --- a/roles/kubernetes-apps/ansible/templates/dns-autoscaler.yml.j2 +++ b/roles/kubernetes-apps/ansible/templates/dns-autoscaler.yml.j2 @@ -31,7 +31,7 @@ spec: k8s-app: dns-autoscaler{{ coredns_ordinal_suffix }} annotations: scheduler.alpha.kubernetes.io/critical-pod: "" - seccomp.security.alpha.kubernetes.io/pod: 'docker/default' + seccomp.security.alpha.kubernetes.io/pod: 'runtime/default' spec: priorityClassName: system-cluster-critical securityContext: diff --git a/roles/kubernetes-apps/ansible/templates/netchecker-agent-hostnet-psp.yml.j2 b/roles/kubernetes-apps/ansible/templates/netchecker-agent-hostnet-psp.yml.j2 index 9be7c84f7..21b397d12 100644 --- a/roles/kubernetes-apps/ansible/templates/netchecker-agent-hostnet-psp.yml.j2 +++ b/roles/kubernetes-apps/ansible/templates/netchecker-agent-hostnet-psp.yml.j2 @@ -4,8 +4,8 @@ kind: PodSecurityPolicy metadata: name: netchecker-agent-hostnet annotations: - seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' - seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default' + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default' + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default' {% if apparmor_enabled %} apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' diff --git a/roles/kubernetes-apps/cluster_roles/templates/psp.yml.j2 b/roles/kubernetes-apps/cluster_roles/templates/psp.yml.j2 index 9245424cd..5da540041 100644 --- a/roles/kubernetes-apps/cluster_roles/templates/psp.yml.j2 +++ b/roles/kubernetes-apps/cluster_roles/templates/psp.yml.j2 @@ -4,8 +4,8 @@ kind: PodSecurityPolicy metadata: name: restricted annotations: - seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' - seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default' + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default' + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default' {% if apparmor_enabled %} apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' diff --git a/roles/kubernetes-apps/external_provisioner/cephfs_provisioner/templates/psp-cephfs-provisioner.yml.j2 b/roles/kubernetes-apps/external_provisioner/cephfs_provisioner/templates/psp-cephfs-provisioner.yml.j2 index 291870c98..76d146cbb 100644 --- a/roles/kubernetes-apps/external_provisioner/cephfs_provisioner/templates/psp-cephfs-provisioner.yml.j2 +++ b/roles/kubernetes-apps/external_provisioner/cephfs_provisioner/templates/psp-cephfs-provisioner.yml.j2 @@ -4,8 +4,8 @@ kind: PodSecurityPolicy metadata: name: cephfs-provisioner annotations: - seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' - seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default' + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default' + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default' {% if apparmor_enabled %} apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' diff --git a/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-psp.yml.j2 b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-psp.yml.j2 index 2b8c310c2..55d5adb17 100644 --- a/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-psp.yml.j2 +++ b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-psp.yml.j2 @@ -4,8 +4,8 @@ kind: PodSecurityPolicy metadata: name: local-path-provisioner annotations: - seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' - seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default' + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default' + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default' {% if apparmor_enabled %} apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' diff --git a/roles/kubernetes-apps/external_provisioner/local_volume_provisioner/templates/local-volume-provisioner-psp.yml.j2 b/roles/kubernetes-apps/external_provisioner/local_volume_provisioner/templates/local-volume-provisioner-psp.yml.j2 index 6ec5601b2..10b4f6e15 100644 --- a/roles/kubernetes-apps/external_provisioner/local_volume_provisioner/templates/local-volume-provisioner-psp.yml.j2 +++ b/roles/kubernetes-apps/external_provisioner/local_volume_provisioner/templates/local-volume-provisioner-psp.yml.j2 @@ -4,8 +4,8 @@ kind: PodSecurityPolicy metadata: name: local-volume-provisioner annotations: - seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' - seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default' + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default' + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default' {% if apparmor_enabled %} apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' diff --git a/roles/kubernetes-apps/external_provisioner/rbd_provisioner/templates/psp-rbd-provisioner.yml.j2 b/roles/kubernetes-apps/external_provisioner/rbd_provisioner/templates/psp-rbd-provisioner.yml.j2 index a314f0104..c59effdba 100644 --- a/roles/kubernetes-apps/external_provisioner/rbd_provisioner/templates/psp-rbd-provisioner.yml.j2 +++ b/roles/kubernetes-apps/external_provisioner/rbd_provisioner/templates/psp-rbd-provisioner.yml.j2 @@ -4,8 +4,8 @@ kind: PodSecurityPolicy metadata: name: rbd-provisioner annotations: - seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' - seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default' + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default' + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default' {% if apparmor_enabled %} apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' diff --git a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/psp-ingress-nginx.yml.j2 b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/psp-ingress-nginx.yml.j2 index c83ea435c..903f26808 100644 --- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/psp-ingress-nginx.yml.j2 +++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/psp-ingress-nginx.yml.j2 @@ -4,8 +4,8 @@ kind: PodSecurityPolicy metadata: name: ingress-nginx annotations: - seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' - seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default' + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default' + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default' {% if apparmor_enabled %} apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' diff --git a/roles/kubernetes-apps/metrics_server/templates/metrics-server-deployment.yaml.j2 b/roles/kubernetes-apps/metrics_server/templates/metrics-server-deployment.yaml.j2 index f08113d8d..dfe1e69ac 100644 --- a/roles/kubernetes-apps/metrics_server/templates/metrics-server-deployment.yaml.j2 +++ b/roles/kubernetes-apps/metrics_server/templates/metrics-server-deployment.yaml.j2 @@ -20,7 +20,7 @@ spec: app.kubernetes.io/name: metrics-server version: {{ metrics_server_version }} annotations: - seccomp.security.alpha.kubernetes.io/pod: 'docker/default' + seccomp.security.alpha.kubernetes.io/pod: 'runtime/default' spec: priorityClassName: system-cluster-critical serviceAccountName: metrics-server diff --git a/roles/kubernetes-apps/registry/templates/registry-proxy-psp.yml.j2 b/roles/kubernetes-apps/registry/templates/registry-proxy-psp.yml.j2 index 20b108962..3a0233a2a 100644 --- a/roles/kubernetes-apps/registry/templates/registry-proxy-psp.yml.j2 +++ b/roles/kubernetes-apps/registry/templates/registry-proxy-psp.yml.j2 @@ -4,8 +4,8 @@ kind: PodSecurityPolicy metadata: name: registry-proxy annotations: - seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' - seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default' + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default' + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default' {% if apparmor_enabled %} apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' diff --git a/roles/kubernetes-apps/registry/templates/registry-psp.yml.j2 b/roles/kubernetes-apps/registry/templates/registry-psp.yml.j2 index 5004cd821..b04d8c27a 100644 --- a/roles/kubernetes-apps/registry/templates/registry-psp.yml.j2 +++ b/roles/kubernetes-apps/registry/templates/registry-psp.yml.j2 @@ -4,8 +4,8 @@ kind: PodSecurityPolicy metadata: name: registry annotations: - seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' - seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default' + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default' + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default' {% if apparmor_enabled %} apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' diff --git a/roles/network_plugin/flannel/templates/cni-flannel-rbac.yml.j2 b/roles/network_plugin/flannel/templates/cni-flannel-rbac.yml.j2 index ce4980ccb..bb55fd4da 100644 --- a/roles/network_plugin/flannel/templates/cni-flannel-rbac.yml.j2 +++ b/roles/network_plugin/flannel/templates/cni-flannel-rbac.yml.j2 @@ -10,8 +10,8 @@ kind: PodSecurityPolicy metadata: name: psp.flannel.unprivileged annotations: - seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default - seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default + seccomp.security.alpha.kubernetes.io/allowedProfileNames: runtime/default + seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default {% if podsecuritypolicy_enabled and apparmor_enabled %} apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default