Add documentation about SeccompDefault feature

This adds a documentation section about the `SeccompDefault` feature gate for the kubelet. Beside that, the feature gate has been added to the list of features, too. Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
kubernetes · May 12, 2021 · 4e0217b · 4e0217b
1 parent 3473888
commit 4e0217b
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 1 deletion.
diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates.md b/content/en/docs/reference/command-line-tools-reference/feature-gates.md
@@ -158,6 +158,7 @@ different Kubernetes components.
 | `RotateKubeletServerCertificate` | `false` | Alpha | 1.7 | 1.11 |
 | `RotateKubeletServerCertificate` | `true` | Beta | 1.12 | |
 | `RunAsGroup` | `true` | Beta | 1.14 | |
+| `SeccompDefault` | `false` | Alpha | 1.22 | 1.23 |
 | `ServerSideApply` | `false` | Alpha | 1.14 | 1.15 |
 | `ServerSideApply` | `true` | Beta | 1.16 | |
 | `ServiceInternalTrafficPolicy` | `false` | Alpha | 1.21 | |
@@ -766,6 +767,8 @@ Each feature gate is designed for enabling/disabling a specific feature:
   instead of the DaemonSet controller.
 - `SCTPSupport`: Enables the _SCTP_ `protocol` value in Pod, Service,
   Endpoints, EndpointSlice, and NetworkPolicy definitions.
+- `SeccompDefault`: Enables using the `RuntimeDefault` seccomp profile if nothing
+  else is specified within the `SecurityContext` of a workload.
 - `ServerSideApply`: Enables the [Sever Side Apply (SSA)](/docs/reference/using-api/server-side-apply/)
   feature on the API Server.
 - `ServiceAccountIssuerDiscovery`: Enable OIDC discovery endpoints (issuer and

diff --git a/content/en/docs/tutorials/clusters/seccomp.md b/content/en/docs/tutorials/clusters/seccomp.md
@@ -6,6 +6,7 @@ reviewers:
 title: Restrict a Container's Syscalls with Seccomp
 content_type: tutorial
 weight: 20
+min-kubernetes-server-version: v1.22
 ---
 
 <!-- overview -->
@@ -35,16 +36,61 @@ profiles that give only the necessary privileges to your container processes.
 
 ## {{% heading "prerequisites" %}}
 
+{{< version-check >}}
+
 In order to complete all steps in this tutorial, you must install
 [kind](https://kind.sigs.k8s.io/docs/user/quick-start/) and
 [kubectl](/docs/tasks/tools/). This tutorial will show examples
-with both alpha (pre-v1.19) and generally available seccomp functionality, so
+with both alpha (pre-v1.22) and generally available seccomp functionality, so
 make sure that your cluster is [configured
 correctly](https://kind.sigs.k8s.io/docs/user/quick-start/#setting-kubernetes-version)
 for the version you are using.
 
 <!-- steps -->
 
+## Enable the `RuntimeDefault` seccomp profile for all workloads
+
+{{< feature-state state="alpha" >}}
+
+A new kubelet alpha [feature gate](/docs/reference/command-line-tools-reference/feature-gates)
+`SeccompDefault` has been introduced with the release of Kubernetes v1.22.0.
+
+If enabled, the kubelet will always use the `RuntimeDefault` seccomp profile of
+the corresponding container runtime instead of running the workload in
+`Unconfined` (seccomp disabled) mode. Those profiles aim to provide a strong set
+of security defaults while preserving the functionality of the workload. It is
+possible that the default profiles differ between container runtimes and their
+release versions, for example when comparing those from
+[CRI-O](https://github.com/cri-o/cri-o/blob/b99366680904420974463572f6f0b92166437b0e/vendor/github.com/containers/common/pkg/seccomp/default_linux.go#L45)
+and
+[containerd](https://github.com/containerd/containerd/blob/261c107ffc4ff681bc73988f64e3f60c32233b37/contrib/seccomp/seccomp_default.go#L51).
+
+Some workloads may require a lower set of syscall restrictions. This means that
+they can fail during runtime even with the `RuntimeDefault` profile. To
+mitigate such a failure, either:
+
+- Run the workload explicitly as `Unconfined`.
+- Disable the `SeccompDefault` feature for the nodes.
+- Create a custom seccomp profile for the workload.
+
+It is recommended to enable the feature on a per-node basis and test the
+execution of workloads in conjunction with the `RuntimeDefault` profile before
+deploying them into production.
+
+Since the feature is in alpha state it is disabled per default. To enable it,
+pass the flag `--feature-gates=SeccompDefault=true` to the `kubelet` CLI or
+enable it via the [kubelet configuration
+file](/docs/tasks/administer-cluster/kubelet-config-file). To enable the feature
+gate in kind, ensure that it ships the minimum required Kubernetes version as
+well as enabling it in the kind configuration:
+
+```yaml
+kind: Cluster
+apiVersion: kind.x-k8s.io/v1alpha4
+featureGates:
+  SeccompDefault: true
+```
+
 ## Create Seccomp Profiles
 
 The contents of these profiles will be explored later on, but for now go ahead