Replace seccomp profile docker/default with runtime/default (#6170)

Signed-off-by: Wang Zhen <lazybetrayer@gmail.com>
This commit is contained in:
Wang Zhen 2020-05-28 05:02:02 +08:00 committed by GitHub
parent 4fd03b93f7
commit d62836f2ab
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
14 changed files with 25 additions and 25 deletions

View file

@ -61,8 +61,8 @@ kind: PodSecurityPolicy
metadata: metadata:
name: metallb name: metallb
annotations: annotations:
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default' seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
{% if apparmor_enabled %} {% if apparmor_enabled %}
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'

View file

@ -22,7 +22,7 @@ spec:
labels: labels:
k8s-app: kube-dns{{ coredns_ordinal_suffix }} k8s-app: kube-dns{{ coredns_ordinal_suffix }}
annotations: annotations:
seccomp.security.alpha.kubernetes.io/pod: 'docker/default' seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
spec: spec:
priorityClassName: system-cluster-critical priorityClassName: system-cluster-critical
nodeSelector: nodeSelector:

View file

@ -31,7 +31,7 @@ spec:
k8s-app: dns-autoscaler{{ coredns_ordinal_suffix }} k8s-app: dns-autoscaler{{ coredns_ordinal_suffix }}
annotations: annotations:
scheduler.alpha.kubernetes.io/critical-pod: "" scheduler.alpha.kubernetes.io/critical-pod: ""
seccomp.security.alpha.kubernetes.io/pod: 'docker/default' seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
spec: spec:
priorityClassName: system-cluster-critical priorityClassName: system-cluster-critical
securityContext: securityContext:

View file

@ -4,8 +4,8 @@ kind: PodSecurityPolicy
metadata: metadata:
name: netchecker-agent-hostnet name: netchecker-agent-hostnet
annotations: annotations:
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default' seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
{% if apparmor_enabled %} {% if apparmor_enabled %}
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'

View file

@ -4,8 +4,8 @@ kind: PodSecurityPolicy
metadata: metadata:
name: restricted name: restricted
annotations: annotations:
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default' seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default'
{% if apparmor_enabled %} {% if apparmor_enabled %}
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'

View file

@ -4,8 +4,8 @@ kind: PodSecurityPolicy
metadata: metadata:
name: cephfs-provisioner name: cephfs-provisioner
annotations: annotations:
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default' seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
{% if apparmor_enabled %} {% if apparmor_enabled %}
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'

View file

@ -4,8 +4,8 @@ kind: PodSecurityPolicy
metadata: metadata:
name: local-path-provisioner name: local-path-provisioner
annotations: annotations:
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default' seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
{% if apparmor_enabled %} {% if apparmor_enabled %}
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'

View file

@ -4,8 +4,8 @@ kind: PodSecurityPolicy
metadata: metadata:
name: local-volume-provisioner name: local-volume-provisioner
annotations: annotations:
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default' seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
{% if apparmor_enabled %} {% if apparmor_enabled %}
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'

View file

@ -4,8 +4,8 @@ kind: PodSecurityPolicy
metadata: metadata:
name: rbd-provisioner name: rbd-provisioner
annotations: annotations:
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default' seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
{% if apparmor_enabled %} {% if apparmor_enabled %}
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'

View file

@ -4,8 +4,8 @@ kind: PodSecurityPolicy
metadata: metadata:
name: ingress-nginx name: ingress-nginx
annotations: annotations:
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default' seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
{% if apparmor_enabled %} {% if apparmor_enabled %}
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'

View file

@ -20,7 +20,7 @@ spec:
app.kubernetes.io/name: metrics-server app.kubernetes.io/name: metrics-server
version: {{ metrics_server_version }} version: {{ metrics_server_version }}
annotations: annotations:
seccomp.security.alpha.kubernetes.io/pod: 'docker/default' seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
spec: spec:
priorityClassName: system-cluster-critical priorityClassName: system-cluster-critical
serviceAccountName: metrics-server serviceAccountName: metrics-server

View file

@ -4,8 +4,8 @@ kind: PodSecurityPolicy
metadata: metadata:
name: registry-proxy name: registry-proxy
annotations: annotations:
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default' seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
{% if apparmor_enabled %} {% if apparmor_enabled %}
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'

View file

@ -4,8 +4,8 @@ kind: PodSecurityPolicy
metadata: metadata:
name: registry name: registry
annotations: annotations:
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default' seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
{% if apparmor_enabled %} {% if apparmor_enabled %}
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'

View file

@ -10,8 +10,8 @@ kind: PodSecurityPolicy
metadata: metadata:
name: psp.flannel.unprivileged name: psp.flannel.unprivileged
annotations: annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default seccomp.security.alpha.kubernetes.io/allowedProfileNames: runtime/default
seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default
{% if podsecuritypolicy_enabled and apparmor_enabled %} {% if podsecuritypolicy_enabled and apparmor_enabled %}
apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default