Skip to content

Commit

Permalink
Set seccomp profile to RuntimeDefault for calico-kube-controllers and…
Browse files Browse the repository at this point in the history 
… calico-typha (#6524)
  • Loading branch information
@dimityrmirchev
dimityrmirchev committed Jun 21, 2024
1 parent d3bc14c commit e11585c
Show file tree
Hide file tree
Showing 13 changed files with 72 additions and 0 deletions.
3 changes: 3 additions & 0 deletions charts/calico/templates/calico-kube-controllers.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,9 @@ spec:
- key: node-role.kubernetes.io/control-plane
effect: NoSchedule
serviceAccountName: calico-kube-controllers
securityContext:
seccompProfile:
type: RuntimeDefault
priorityClassName: system-cluster-critical
{{- if eq .Values.datastore "etcd" }}
# The controllers must run in the host network namespace so that
Expand Down
3 changes: 3 additions & 0 deletions charts/calico/templates/calico-node.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,9 @@ spec:
- effect: NoExecute
operator: Exists
serviceAccountName: {{include "nodeName" . }}
securityContext:
seccompProfile:
type: RuntimeDefault
# Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force
# deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.
terminationGracePeriodSeconds: 0
Expand Down
2 changes: 2 additions & 0 deletions charts/calico/templates/calico-typha.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,8 @@ spec:
# fsGroup allows using projected serviceaccount tokens as described here kubernetes/kubernetes#82573
securityContext:
fsGroup: 65534
seccompProfile:
type: RuntimeDefault
containers:
- image: {{ .Values.typha.image }}:{{.Values.version }}
imagePullPolicy: {{.Values.imagePullPolicy}}
Expand Down
6 changes: 6 additions & 0 deletions manifests/calico-bpf.yaml
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 6 additions & 0 deletions manifests/calico-etcd.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -294,6 +294,9 @@ spec:
- effect: NoExecute
operator: Exists
serviceAccountName: calico-node
securityContext:
seccompProfile:
type: RuntimeDefault
# Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force
# deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.
terminationGracePeriodSeconds: 0
Expand Down Expand Up @@ -611,6 +614,9 @@ spec:
- key: node-role.kubernetes.io/control-plane
effect: NoSchedule
serviceAccountName: calico-kube-controllers
securityContext:
seccompProfile:
type: RuntimeDefault
priorityClassName: system-cluster-critical
# The controllers must run in the host network namespace so that
# it isn't governed by policy that would prevent it from working.
Expand Down
8 changes: 8 additions & 0 deletions manifests/calico-policy-only.yaml
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

8 changes: 8 additions & 0 deletions manifests/calico-typha.yaml
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 6 additions & 0 deletions manifests/calico-vxlan.yaml
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 6 additions & 0 deletions manifests/calico.yaml
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 6 additions & 0 deletions manifests/canal-etcd.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -374,6 +374,9 @@ spec:
- effect: NoExecute
operator: Exists
serviceAccountName: canal-node
securityContext:
seccompProfile:
type: RuntimeDefault
# Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force
# deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.
terminationGracePeriodSeconds: 0
Expand Down Expand Up @@ -771,6 +774,9 @@ spec:
- key: node-role.kubernetes.io/control-plane
effect: NoSchedule
serviceAccountName: calico-kube-controllers
securityContext:
seccompProfile:
type: RuntimeDefault
priorityClassName: system-cluster-critical
# The controllers must run in the host network namespace so that
# it isn't governed by policy that would prevent it from working.
Expand Down
6 changes: 6 additions & 0 deletions manifests/canal.yaml
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 6 additions & 0 deletions manifests/flannel-migration/calico.yaml
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 6 additions & 0 deletions node/tests/k8st/infra/calico-kdd.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -455,6 +455,9 @@ spec:
- effect: NoExecute
operator: Exists
serviceAccountName: calico-node
securityContext:
seccompProfile:
type: RuntimeDefault
# Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force
# deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.
terminationGracePeriodSeconds: 0
Expand Down Expand Up @@ -778,6 +781,9 @@ spec:
- key: node-role.kubernetes.io/control-plane
effect: NoSchedule
serviceAccountName: calico-kube-controllers
securityContext:
seccompProfile:
type: RuntimeDefault
priorityClassName: system-cluster-critical
containers:
- name: calico-kube-controllers
Expand Down

0 comments on commit e11585c

Please sign in to comment.