Skip to content

Commit

Permalink
Address feedback
Browse files Browse the repository at this point in the history
  • Loading branch information
tallclair committed Jul 30, 2019
1 parent 82f393e commit fbab931
Showing 1 changed file with 13 additions and 3 deletions.
16 changes: 13 additions & 3 deletions keps/sig-node/20190717-seccomp-ga.md
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@ status: provisional
- [PodSecurityPolicy Update](#podsecuritypolicy-update)
- [PodSecurityPolicy Enforcement](#podsecuritypolicy-enforcement)
- [PodTemplates](#podtemplates)
- [Upgrade / Downgrade](#upgrade--downgrade)
- [Test Plan](#test-plan)
- [Graduation Criteria](#graduation-criteria)
- [Upgrade / Downgrade Strategy](#upgrade--downgrade-strategy)
Expand Down Expand Up @@ -115,7 +116,7 @@ GA will be covered by a separate KEP._

- Declare seccomp GA
- Fully document and formally spec the feature support
- Migrate the annotations to standard API fields
- Add equivalent API fields to replace seccomp annotations
- Deprecate the seccomp annotations

### Non-Goals
Expand All @@ -128,6 +129,7 @@ are out of scope, including:
- Formally speccing the seccomp profile format in Kubernetes
- Providing mechanisms for loading profiles from outside the static seccomp node directory
- Changing the semantics around seccomp support
- Windows support (seccomp is very linux-specific)

## Proposal

Expand All @@ -139,7 +141,7 @@ specifies allowed profiles & a default profile.

#### Pod API

The Pod Seccomp API is immutable.
The Pod Seccomp API is immutable, except in [`PodTemplates`](#podtemplates).

```go
type PodSecurityContext struct {
Expand Down Expand Up @@ -315,13 +317,21 @@ version running the pod.
PodTemplates (e.g. ReplaceSets, Deployments, StatefulSets, etc.) will be ignored. The
field/annotation resolution will happen on template instantiation.

#### Upgrade / Downgrade

Nodes do not currently support in-place upgrades, so pods will be recreated on node upgrade and
downgrade. No special handling or consideration is needed to support this.

On the API server side, we've already taken version skew in HA clusters into account. The same
precautions make upgrade & downgrade handling a non-issue.

### Test Plan

Seccomp already has [E2E tests][], but the tests are guarded by the `[Feature:Seccomp]` tag and not
run in the standard test suites.

Prior to being marked GA, the feature tag will be removed from the seccomp tests, and the tests will
be migrated to the new fields API.
be migrated to the new fields API. Tests will be tagged as `[LinuxOnly]`.

New tests will be added covering the annotation/field conflict cases described under
[Version Skew Strategy](#version-skew-strategy).
Expand Down

0 comments on commit fbab931

Please sign in to comment.