Replace seccomp profile docker/default with runtime/default (#6170)
Signed-off-by: Wang Zhen <lazybetrayer@gmail.com>
This commit is contained in:
parent
4fd03b93f7
commit
d62836f2ab
14 changed files with 25 additions and 25 deletions
|
@ -61,8 +61,8 @@ kind: PodSecurityPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: metallb
|
name: metallb
|
||||||
annotations:
|
annotations:
|
||||||
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
|
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
|
||||||
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
|
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
|
||||||
{% if apparmor_enabled %}
|
{% if apparmor_enabled %}
|
||||||
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
|
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
|
||||||
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
|
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
|
||||||
|
|
|
@ -22,7 +22,7 @@ spec:
|
||||||
labels:
|
labels:
|
||||||
k8s-app: kube-dns{{ coredns_ordinal_suffix }}
|
k8s-app: kube-dns{{ coredns_ordinal_suffix }}
|
||||||
annotations:
|
annotations:
|
||||||
seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
|
seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
|
||||||
spec:
|
spec:
|
||||||
priorityClassName: system-cluster-critical
|
priorityClassName: system-cluster-critical
|
||||||
nodeSelector:
|
nodeSelector:
|
||||||
|
|
|
@ -31,7 +31,7 @@ spec:
|
||||||
k8s-app: dns-autoscaler{{ coredns_ordinal_suffix }}
|
k8s-app: dns-autoscaler{{ coredns_ordinal_suffix }}
|
||||||
annotations:
|
annotations:
|
||||||
scheduler.alpha.kubernetes.io/critical-pod: ""
|
scheduler.alpha.kubernetes.io/critical-pod: ""
|
||||||
seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
|
seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
|
||||||
spec:
|
spec:
|
||||||
priorityClassName: system-cluster-critical
|
priorityClassName: system-cluster-critical
|
||||||
securityContext:
|
securityContext:
|
||||||
|
|
|
@ -4,8 +4,8 @@ kind: PodSecurityPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: netchecker-agent-hostnet
|
name: netchecker-agent-hostnet
|
||||||
annotations:
|
annotations:
|
||||||
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
|
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
|
||||||
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
|
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
|
||||||
{% if apparmor_enabled %}
|
{% if apparmor_enabled %}
|
||||||
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
|
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
|
||||||
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
|
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
|
||||||
|
|
|
@ -4,8 +4,8 @@ kind: PodSecurityPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: restricted
|
name: restricted
|
||||||
annotations:
|
annotations:
|
||||||
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
|
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
|
||||||
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
|
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default'
|
||||||
{% if apparmor_enabled %}
|
{% if apparmor_enabled %}
|
||||||
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
|
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
|
||||||
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
|
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
|
||||||
|
|
|
@ -4,8 +4,8 @@ kind: PodSecurityPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: cephfs-provisioner
|
name: cephfs-provisioner
|
||||||
annotations:
|
annotations:
|
||||||
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
|
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
|
||||||
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
|
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
|
||||||
{% if apparmor_enabled %}
|
{% if apparmor_enabled %}
|
||||||
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
|
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
|
||||||
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
|
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
|
||||||
|
|
|
@ -4,8 +4,8 @@ kind: PodSecurityPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: local-path-provisioner
|
name: local-path-provisioner
|
||||||
annotations:
|
annotations:
|
||||||
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
|
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
|
||||||
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
|
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
|
||||||
{% if apparmor_enabled %}
|
{% if apparmor_enabled %}
|
||||||
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
|
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
|
||||||
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
|
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
|
||||||
|
|
|
@ -4,8 +4,8 @@ kind: PodSecurityPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: local-volume-provisioner
|
name: local-volume-provisioner
|
||||||
annotations:
|
annotations:
|
||||||
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
|
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
|
||||||
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
|
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
|
||||||
{% if apparmor_enabled %}
|
{% if apparmor_enabled %}
|
||||||
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
|
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
|
||||||
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
|
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
|
||||||
|
|
|
@ -4,8 +4,8 @@ kind: PodSecurityPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: rbd-provisioner
|
name: rbd-provisioner
|
||||||
annotations:
|
annotations:
|
||||||
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
|
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
|
||||||
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
|
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
|
||||||
{% if apparmor_enabled %}
|
{% if apparmor_enabled %}
|
||||||
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
|
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
|
||||||
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
|
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
|
||||||
|
|
|
@ -4,8 +4,8 @@ kind: PodSecurityPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: ingress-nginx
|
name: ingress-nginx
|
||||||
annotations:
|
annotations:
|
||||||
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
|
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
|
||||||
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
|
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
|
||||||
{% if apparmor_enabled %}
|
{% if apparmor_enabled %}
|
||||||
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
|
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
|
||||||
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
|
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
|
||||||
|
|
|
@ -20,7 +20,7 @@ spec:
|
||||||
app.kubernetes.io/name: metrics-server
|
app.kubernetes.io/name: metrics-server
|
||||||
version: {{ metrics_server_version }}
|
version: {{ metrics_server_version }}
|
||||||
annotations:
|
annotations:
|
||||||
seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
|
seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
|
||||||
spec:
|
spec:
|
||||||
priorityClassName: system-cluster-critical
|
priorityClassName: system-cluster-critical
|
||||||
serviceAccountName: metrics-server
|
serviceAccountName: metrics-server
|
||||||
|
|
|
@ -4,8 +4,8 @@ kind: PodSecurityPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: registry-proxy
|
name: registry-proxy
|
||||||
annotations:
|
annotations:
|
||||||
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
|
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
|
||||||
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
|
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
|
||||||
{% if apparmor_enabled %}
|
{% if apparmor_enabled %}
|
||||||
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
|
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
|
||||||
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
|
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
|
||||||
|
|
|
@ -4,8 +4,8 @@ kind: PodSecurityPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: registry
|
name: registry
|
||||||
annotations:
|
annotations:
|
||||||
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
|
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
|
||||||
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
|
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
|
||||||
{% if apparmor_enabled %}
|
{% if apparmor_enabled %}
|
||||||
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
|
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
|
||||||
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
|
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
|
||||||
|
|
|
@ -10,8 +10,8 @@ kind: PodSecurityPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: psp.flannel.unprivileged
|
name: psp.flannel.unprivileged
|
||||||
annotations:
|
annotations:
|
||||||
seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default
|
seccomp.security.alpha.kubernetes.io/allowedProfileNames: runtime/default
|
||||||
seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default
|
seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default
|
||||||
{% if podsecuritypolicy_enabled and apparmor_enabled %}
|
{% if podsecuritypolicy_enabled and apparmor_enabled %}
|
||||||
apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
|
apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
|
||||||
apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
|
apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
|
||||||
|
|
Loading…
Reference in a new issue