github.com/inspektor-gadget/inspektor-gadget@v0.28.1/docs/crds/gadgets/seccomp.md (about) 1 --- 2 # Code generated by 'make generate-documentation'. DO NOT EDIT. 3 title: Gadget seccomp 4 --- 5 6 The seccomp gadget traces system calls for each container in order to generate 7 seccomp policies. 8 9 The seccomp policies can be generated in two ways: 10 1. on demand with the gadget.kinvolk.io/operation=generate annotation. In this 11 case, the Trace.Spec.Filter should specify the namespace and pod name to the 12 exclusion of other fields because there can be only one SeccompProfile 13 written in the Trace.Status.Output or in the SeccompProfile resource named 14 by Trace.Spec.Output. The on-demand generation supports the outputMode 15 Status and ExternalResource. 16 2. automatically when containers matching the Trace.Spec.Filter terminate. In 17 this case, all filters are supported. The at-termination generation supports 18 the outputMode ExternalResource and Stream. 19 20 The seccomp policies can be written in the Status field of the Trace custom 21 resource, or in SeccompProfiles custom resources managed by the [Kubernetes 22 Security Profiles 23 Operator](https://github.com/kubernetes-sigs/security-profiles-operator). 24 25 SeccompProfiles will have the following annotations: 26 27 * seccomp.gadget.kinvolk.io/trace: the namespaced name of the Trace custom 28 resource that generated this SeccompProfile 29 * seccomp.gadget.kinvolk.io/node: the node where this SeccompProfile was 30 generated 31 * seccomp.gadget.kinvolk.io/pod: the pod namespaced name of the pod that was 32 traced 33 * seccomp.gadget.kinvolk.io/container: the container name in the pod that was 34 traced 35 * seccomp.gadget.kinvolk.io/ownerReference-APIVersion: the ownerReference's 36 APIVersion of the pod that was traced 37 * seccomp.gadget.kinvolk.io/ownerReference-Kind: the ownerReference's Kind of the 38 pod that was traced 39 * seccomp.gadget.kinvolk.io/ownerReference-Name: the ownerReference's Name of the 40 pod that was traced 41 * seccomp.gadget.kinvolk.io/ownerReference-UID: the ownerReference's UID of the 42 pod that was traced 43 44 SeccompProfiles will have the same labels as the Trace custom resource that 45 generated them. They don't have meaning for the seccomp gadget. They are 46 merely copied for convenience. 47 48 49 ### Example CR 50 51 ```yaml 52 apiVersion: gadget.kinvolk.io/v1alpha1 53 kind: Trace 54 metadata: 55 name: seccomp 56 namespace: gadget 57 labels: 58 team: devops 59 spec: 60 node: minikube 61 gadget: seccomp 62 63 # # Example of filter for manual generation with the 64 # # gadget.kinvolk.io/operation=generate annotation. This needs a namespace and 65 # # podname at the exclusion of other fields. 66 # filter: 67 # namespace: default 68 # podname: mypod 69 70 # Another example of filter for automatic generation when containers 71 # terminate. All fields are supported. 72 filter: 73 namespace: default 74 75 runMode: Manual 76 outputMode: ExternalResource 77 output: gadget/myseccomp 78 ``` 79 80 ### Operations 81 82 83 #### start 84 85 Start recording syscalls 86 87 ```bash 88 $ kubectl annotate -n gadget trace/seccomp \ 89 gadget.kinvolk.io/operation=start 90 ``` 91 #### generate 92 93 Generate a seccomp profile for the pod specified in Trace.Spec.Filter. The 94 namespace and pod name should be specified at the exclusion of other fields. 95 96 ```bash 97 $ kubectl annotate -n gadget trace/seccomp \ 98 gadget.kinvolk.io/operation=generate 99 ``` 100 #### stop 101 102 Stop recording syscalls 103 104 ```bash 105 $ kubectl annotate -n gadget trace/seccomp \ 106 gadget.kinvolk.io/operation=stop 107 ``` 108 109 ### Output Modes 110 111 * ExternalResource 112 * Status 113 * Stream