kubernetes: replace deprecated seccomp annotations with securityContext

Kubernetes added the official `securityContext.seccompProfile` support in Kubernetes 1.19. Seccomp is still disabled by default. The legacy `container.seccomp.security.alpha.kubernetes.io/<PODNAME>` annotation has been deprecated and will be unsupported in Kubernetes 1.25. https://kubernetes.io/docs/tutorials/security/seccomp/ A test cluster can be created with the following minikube command: ``` minikube start --feature-gates SeccompDefault=true --extra-config kubelet.seccomp-default=true ``` Related to moby/buildkit PR 2782 Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2025-07-09 21:17:09 +08:00 · 2022-04-07 17:23:42 +09:00
parent a60150cbc6
commit add4301ed6
2 changed files with 7 additions and 4 deletions
--- a/driver/kubernetes/manifest/manifest.go
+++ b/driver/kubernetes/manifest/manifest.go
@ -204,12 +204,15 @@ func toRootless(d *appsv1.Deployment) error {
 		d.Spec.Template.Spec.Containers[0].Args,
 		"--oci-worker-no-process-sandbox",
 	)
-	d.Spec.Template.Spec.Containers[0].SecurityContext = nil
+	d.Spec.Template.Spec.Containers[0].SecurityContext = &corev1.SecurityContext{
+		SeccompProfile: &corev1.SeccompProfile{
+			Type: corev1.SeccompProfileTypeUnconfined,
+		},
+	}
 	if d.Spec.Template.ObjectMeta.Annotations == nil {
-		d.Spec.Template.ObjectMeta.Annotations = make(map[string]string, 2)
+		d.Spec.Template.ObjectMeta.Annotations = make(map[string]string, 1)
 	}
 	d.Spec.Template.ObjectMeta.Annotations["container.apparmor.security.beta.kubernetes.io/"+containerName] = "unconfined"
-	d.Spec.Template.ObjectMeta.Annotations["container.seccomp.security.alpha.kubernetes.io/"+containerName] = "unconfined"
 	return nil
 }