sigs.k8s.io/seccomp-operator@v0.1.0/installation-usage.md (about) 1 # Installation and Usage 2 3 ## Features 4 5 The feature scope of the seccomp-operator is right now limited to: 6 7 - Enable `ConfigMap`s to store seccomp profiles. 8 - Synchronize seccomp profiles across all worker nodes. 9 - Validate if a node supports seccomp and do not synchronize if not. 10 - Validate if a profile is syntactically correct and do not synchronize if not. 11 12 ## How To 13 14 ### 1. Install operator 15 16 ```sh 17 $ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/seccomp-operator/master/deploy/operator.yaml 18 ``` 19 20 ### 2. Create Profile 21 22 ConfigMaps with profiles will be separated by their target namespace and must be 23 annotated with `seccomp.security.kubernetes.io/profile: "true"`. As per below: 24 25 ```yaml 26 apiVersion: v1 27 kind: ConfigMap 28 metadata: 29 namespace: my-namespace 30 name: cfg-map-name 31 annotations: 32 seccomp.security.kubernetes.io/profile: "true" 33 data: 34 profile1.json: |- 35 { "defaultAction": "SCMP_ACT_ERRNO" } 36 profile2.json: |- 37 { "defaultAction": "SCMP_ACT_LOG" } 38 ``` 39 40 The operator will get that ConfigMap and save all its profiles into the 41 directory: 42 43 `/var/lib/kubelet/seccomp/operator/my-namespace/cfg-map-name/`. 44 45 An init container will setup the root directory of the operator to be able to 46 run it without root G/UID. This will be done by creating a symlink from the 47 rootless profile storage `/var/lib/seccomp-operator` to the default seccomp root 48 path inside of the kubelet root `/var/lib/kubelet/seccomp/operator`. 49 50 ### 3. Apply profile to pod 51 52 Create a pod using one of the created profiles: 53 54 ```yaml 55 apiVersion: v1 56 kind: Pod 57 metadata: 58 name: test-pod 59 annotations: 60 seccomp.security.alpha.kubernetes.io/pod: "localhost/operator/my-namespace/cfg-map-name/profile1.json" 61 spec: 62 containers: 63 - name: test-container 64 image: nginx 65 ``` 66 67 ## Restricting to a Single Namespace 68 69 The seccomp-operator can optionally be run to watch ConfigMaps in a single 70 namespace. This is advantageous because it allows for tightening the RBAC 71 permissions required by the operator's ServiceAccount. To modify the operator 72 deployment to run in a single namespace, use the `namespace-operator.yaml` 73 manifest with your namespace of choice: 74 75 ```sh 76 NAMESPACE=<your-namespace> 77 78 curl https://raw.githubusercontent.com/kubernetes-sigs/seccomp-operator/master/deploy/namespace-operator.yaml | sed "s/NS_REPLACE/$NAMESPACE/g" | kubectl apply -f - 79 ``` 80 81 ## Troubleshooting 82 83 Confirm that the profile is being reconciled: 84 85 ```sh 86 $ kubectl logs -n seccomp-operator seccomp-operator-v6p2h 87 88 I0618 16:06:55.242567 1 main.go:38] setup "msg"="starting seccomp-operator" 89 I0618 16:06:55.497098 1 listener.go:44] controller-runtime/metrics "msg"="metrics server is starting to listen" "addr"=":8080" 90 I0618 16:06:55.497293 1 main.go:59] setup "msg"="starting manager" 91 I0618 16:06:55.498089 1 internal.go:393] controller-runtime/manager "msg"="starting metrics server" "path"="/metrics" 92 I0618 16:06:55.498392 1 controller.go:164] controller-runtime/controller "msg"="Starting EventSource" "controller"="profile" "source"={"Type":{"metadata":{"creationTimestamp":null}}} 93 I0618 16:06:55.598778 1 controller.go:171] controller-runtime/controller "msg"="Starting Controller" "controller"="profile" 94 I0618 16:06:55.598873 1 controller.go:190] controller-runtime/controller "msg"="Starting workers" "controller"="profile" "worker count"=1 95 I0618 16:08:43.507538 1 profile.go:125] profile "msg"="Reconciled profile" "namespace"="my-namespace" "profile"="test-profile" "resource version"="2912" 96 ``` 97 98 Confirm that the seccomp profiles are saved into the correct path: 99 100 ```sh 101 $ kubectl exec -t -n seccomp-operator seccomp-operator-v6p2h -- ls /var/lib/kubelet/seccomp/operator/my-namespace/test-profile 102 profile-block.json 103 profile-complain.json 104 ``` 105 106 Please note corrupted seccomp profiles can disrupt your workloads. Therefore, ensure that the user used cannot be abused by: 107 108 - Not creating that user on the actual node. 109 - Restricting the user ID to only seccomp-operator (i.e. using PSP). 110 - Not allowing other workloads to map any part of the path `/var/lib/kubelet/seccomp/operator`.