sigs.k8s.io/seccomp-operator@v0.1.0/installation-usage.md

sigs.k8s.io/seccomp-operator@v0.1.0/installation-usage.md (about)

     1  # Installation and Usage
     2  
     3  ## Features
     4  
     5  The feature scope of the seccomp-operator is right now limited to:
     6  
     7  - Enable `ConfigMap`s to store seccomp profiles.
     8  - Synchronize seccomp profiles across all worker nodes.
     9  - Validate if a node supports seccomp and do not synchronize if not.
    10  - Validate if a profile is syntactically correct and do not synchronize if not.
    11  
    12  ## How To
    13  
    14  ### 1. Install operator
    15  
    16  ```sh
    17  $ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/seccomp-operator/master/deploy/operator.yaml
    18  ```
    19  
    20  ### 2. Create Profile
    21  
    22  ConfigMaps with profiles will be separated by their target namespace and must be
    23  annotated with `seccomp.security.kubernetes.io/profile: "true"`. As per below:
    24  
    25  ```yaml
    26  apiVersion: v1
    27  kind: ConfigMap
    28  metadata:
    29    namespace: my-namespace
    30    name: cfg-map-name
    31    annotations:
    32      seccomp.security.kubernetes.io/profile: "true"
    33  data:
    34    profile1.json: |-
    35      { "defaultAction": "SCMP_ACT_ERRNO" }
    36    profile2.json: |-
    37      { "defaultAction": "SCMP_ACT_LOG" }
    38  ```
    39  
    40  The operator will get that ConfigMap and save all its profiles into the
    41  directory:
    42  
    43  `/var/lib/kubelet/seccomp/operator/my-namespace/cfg-map-name/`.
    44  
    45  An init container will setup the root directory of the operator to be able to
    46  run it without root G/UID. This will be done by creating a symlink from the
    47  rootless profile storage `/var/lib/seccomp-operator` to the default seccomp root
    48  path inside of the kubelet root `/var/lib/kubelet/seccomp/operator`.
    49  
    50  ### 3. Apply profile to pod
    51  
    52  Create a pod using one of the created profiles:
    53  
    54  ```yaml
    55  apiVersion: v1
    56  kind: Pod
    57  metadata:
    58    name: test-pod
    59    annotations:
    60      seccomp.security.alpha.kubernetes.io/pod: "localhost/operator/my-namespace/cfg-map-name/profile1.json"
    61  spec:
    62    containers:
    63      - name: test-container
    64        image: nginx
    65  ```
    66  
    67  ## Restricting to a Single Namespace
    68  
    69  The seccomp-operator can optionally be run to watch ConfigMaps in a single
    70  namespace. This is advantageous because it allows for tightening the RBAC
    71  permissions required by the operator's ServiceAccount. To modify the operator
    72  deployment to run in a single namespace, use the `namespace-operator.yaml`
    73  manifest with your namespace of choice:
    74  
    75  ```sh
    76  NAMESPACE=<your-namespace>
    77  
    78  curl https://raw.githubusercontent.com/kubernetes-sigs/seccomp-operator/master/deploy/namespace-operator.yaml | sed "s/NS_REPLACE/$NAMESPACE/g" | kubectl apply -f -
    79  ```
    80  
    81  ## Troubleshooting
    82  
    83  Confirm that the profile is being reconciled:
    84  
    85  ```sh
    86  $ kubectl logs -n seccomp-operator seccomp-operator-v6p2h
    87  
    88  I0618 16:06:55.242567       1 main.go:38] setup "msg"="starting seccomp-operator"
    89  I0618 16:06:55.497098       1 listener.go:44] controller-runtime/metrics "msg"="metrics server is starting to listen"  "addr"=":8080"
    90  I0618 16:06:55.497293       1 main.go:59] setup "msg"="starting manager"
    91  I0618 16:06:55.498089       1 internal.go:393] controller-runtime/manager "msg"="starting metrics server"  "path"="/metrics"
    92  I0618 16:06:55.498392       1 controller.go:164] controller-runtime/controller "msg"="Starting EventSource"  "controller"="profile" "source"={"Type":{"metadata":{"creationTimestamp":null}}}
    93  I0618 16:06:55.598778       1 controller.go:171] controller-runtime/controller "msg"="Starting Controller"  "controller"="profile"
    94  I0618 16:06:55.598873       1 controller.go:190] controller-runtime/controller "msg"="Starting workers"  "controller"="profile" "worker count"=1
    95  I0618 16:08:43.507538       1 profile.go:125] profile "msg"="Reconciled profile" "namespace"="my-namespace" "profile"="test-profile" "resource version"="2912"
    96  ```
    97  
    98  Confirm that the seccomp profiles are saved into the correct path:
    99  
   100  ```sh
   101  $ kubectl exec -t -n seccomp-operator seccomp-operator-v6p2h -- ls /var/lib/kubelet/seccomp/operator/my-namespace/test-profile
   102  profile-block.json
   103  profile-complain.json
   104  ```
   105  
   106  Please note corrupted seccomp profiles can disrupt your workloads. Therefore, ensure that the user used cannot be abused by:
   107  
   108  - Not creating that user on the actual node.
   109  - Restricting the user ID to only seccomp-operator (i.e. using PSP).
   110  - Not allowing other workloads to map any part of the path `/var/lib/kubelet/seccomp/operator`.