diff --git a/hack/release.toml b/hack/release.toml index f94150ea0..14825d909 100644 --- a/hack/release.toml +++ b/hack/release.toml @@ -103,7 +103,7 @@ machine: This profile data can be either configured as a YAML definition or as a JSON string. -The profiles are created on the host under `/var/lib/seccomp/profiles` and bind mounted at `/var/lib/kubelet/seccomp/profiles` so Kubelet can use it. +The profiles are created on the host under `/var/lib/kubelet/seccomp/profiles`. See [documentation](https://www.talos.dev/v1.2/kubernetes-guides/configuration/seccomp-profiles/) for more details. """ diff --git a/internal/app/machined/pkg/system/services/kubelet.go b/internal/app/machined/pkg/system/services/kubelet.go index 51526d9a4..aaad4b821 100644 --- a/internal/app/machined/pkg/system/services/kubelet.go +++ b/internal/app/machined/pkg/system/services/kubelet.go @@ -124,7 +124,6 @@ func (k *Kubelet) Runner(r runtime.Runtime) (runner.Runner, error) { {Type: "bind", Destination: "/var/lib/kubelet", Source: "/var/lib/kubelet", Options: []string{"rbind", "rshared", "rw"}}, {Type: "bind", Destination: "/var/log/containers", Source: "/var/log/containers", Options: []string{"rbind", "rshared", "rw"}}, {Type: "bind", Destination: "/var/log/pods", Source: "/var/log/pods", Options: []string{"rbind", "rshared", "rw"}}, - {Type: "bind", Destination: constants.KubeletSeccompProfilesDirectory, Source: constants.SeccompProfilesDirectory, Options: []string{"bind", "ro"}}, } // Add extra mounts. diff --git a/pkg/machinery/constants/constants.go b/pkg/machinery/constants/constants.go index 75f9f399a..647657566 100644 --- a/pkg/machinery/constants/constants.go +++ b/pkg/machinery/constants/constants.go @@ -277,11 +277,8 @@ const ( // Should be less than KubeletShutdownGracePeriod. KubeletShutdownGracePeriodCriticalPods = 10 * time.Second - // SeccompProfilesDirectory is the path to the directory where user provided seccomp profiles are stored. - SeccompProfilesDirectory = "/var/lib/seccomp/profiles" - - // KubeletSeccompProfilesDirectory is the path to the directory where user provided seccomp profiles are mounted inside Kubelet. - KubeletSeccompProfilesDirectory = "/var/lib/kubelet/seccomp/profiles" + // SeccompProfilesDirectory is the path to the directory where user provided seccomp profiles are mounted inside Kubelet. + SeccompProfilesDirectory = "/var/lib/kubelet/seccomp/profiles" // DefaultKubernetesVersion is the default target version of the control plane. DefaultKubernetesVersion = "1.25.0-beta.0" diff --git a/website/content/v1.2/kubernetes-guides/configuration/seccomp-profiles.md b/website/content/v1.2/kubernetes-guides/configuration/seccomp-profiles.md index 3a912d115..1cff21e50 100644 --- a/website/content/v1.2/kubernetes-guides/configuration/seccomp-profiles.md +++ b/website/content/v1.2/kubernetes-guides/configuration/seccomp-profiles.md @@ -30,8 +30,7 @@ Apply the machine config to all the nodes using talosctl: talosctl -e -n patch mc -p @patch.yaml ``` -This would create a seccomp profile name `audit.json` on the node at `/var/lib/seccomp/profiles`. -Talos automatically bind mounts `/var/lib/seccomp/profiles` into `/var/lib/kubelet/seccomp/profiles` so it can be used by the Kubelet. +This would create a seccomp profile name `audit.json` on the node at `/var/lib/kubelet/seccomp/profiles`. The profiles can be used by Kubernetes pods by specfying the pod `securityContext` as below: @@ -62,7 +61,7 @@ NODE NAMESPACE TYPE ID VERSION The content of the seccomp profile can be viewed by running the below command: ```bash -talosctl -e -n read /var/lib/seccomp/profiles/audit.json +talosctl -e -n read /var/lib/kubelet/seccomp/profiles/audit.json ``` An output similar to below can be observed: