From 07cd0924eae3088c302c2eec428b09b33edb3b85 Mon Sep 17 00:00:00 2001 From: Noel Georgi Date: Thu, 11 Aug 2022 19:20:09 +0530 Subject: [PATCH] fix: recursive seccomp mounts Since `/var/lib/kubelet` was mounted with `rbind` and `rshared`, the seccomp profile mount from the host at `/var/lib/seccomp/profiles` when mounted at `/var/lib/kubelet/seccomp/profiles` would create a mount back to the host creating an extra mount everytime kubelet starts/restarts. Fix the issue by using the same path for the seccomp profiles on both host and kubelet. Signed-off-by: Noel Georgi --- hack/release.toml | 2 +- internal/app/machined/pkg/system/services/kubelet.go | 1 - pkg/machinery/constants/constants.go | 7 ++----- .../kubernetes-guides/configuration/seccomp-profiles.md | 5 ++--- 4 files changed, 5 insertions(+), 10 deletions(-) diff --git a/hack/release.toml b/hack/release.toml index f94150ea0..14825d909 100644 --- a/hack/release.toml +++ b/hack/release.toml @@ -103,7 +103,7 @@ machine: This profile data can be either configured as a YAML definition or as a JSON string. -The profiles are created on the host under `/var/lib/seccomp/profiles` and bind mounted at `/var/lib/kubelet/seccomp/profiles` so Kubelet can use it. +The profiles are created on the host under `/var/lib/kubelet/seccomp/profiles`. See [documentation](https://www.talos.dev/v1.2/kubernetes-guides/configuration/seccomp-profiles/) for more details. """ diff --git a/internal/app/machined/pkg/system/services/kubelet.go b/internal/app/machined/pkg/system/services/kubelet.go index 51526d9a4..aaad4b821 100644 --- a/internal/app/machined/pkg/system/services/kubelet.go +++ b/internal/app/machined/pkg/system/services/kubelet.go @@ -124,7 +124,6 @@ func (k *Kubelet) Runner(r runtime.Runtime) (runner.Runner, error) { {Type: "bind", Destination: "/var/lib/kubelet", Source: "/var/lib/kubelet", Options: []string{"rbind", "rshared", "rw"}}, {Type: "bind", Destination: "/var/log/containers", Source: "/var/log/containers", Options: []string{"rbind", "rshared", "rw"}}, {Type: "bind", Destination: "/var/log/pods", Source: "/var/log/pods", Options: []string{"rbind", "rshared", "rw"}}, - {Type: "bind", Destination: constants.KubeletSeccompProfilesDirectory, Source: constants.SeccompProfilesDirectory, Options: []string{"bind", "ro"}}, } // Add extra mounts. diff --git a/pkg/machinery/constants/constants.go b/pkg/machinery/constants/constants.go index 75f9f399a..647657566 100644 --- a/pkg/machinery/constants/constants.go +++ b/pkg/machinery/constants/constants.go @@ -277,11 +277,8 @@ const ( // Should be less than KubeletShutdownGracePeriod. KubeletShutdownGracePeriodCriticalPods = 10 * time.Second - // SeccompProfilesDirectory is the path to the directory where user provided seccomp profiles are stored. - SeccompProfilesDirectory = "/var/lib/seccomp/profiles" - - // KubeletSeccompProfilesDirectory is the path to the directory where user provided seccomp profiles are mounted inside Kubelet. - KubeletSeccompProfilesDirectory = "/var/lib/kubelet/seccomp/profiles" + // SeccompProfilesDirectory is the path to the directory where user provided seccomp profiles are mounted inside Kubelet. + SeccompProfilesDirectory = "/var/lib/kubelet/seccomp/profiles" // DefaultKubernetesVersion is the default target version of the control plane. DefaultKubernetesVersion = "1.25.0-beta.0" diff --git a/website/content/v1.2/kubernetes-guides/configuration/seccomp-profiles.md b/website/content/v1.2/kubernetes-guides/configuration/seccomp-profiles.md index 3a912d115..1cff21e50 100644 --- a/website/content/v1.2/kubernetes-guides/configuration/seccomp-profiles.md +++ b/website/content/v1.2/kubernetes-guides/configuration/seccomp-profiles.md @@ -30,8 +30,7 @@ Apply the machine config to all the nodes using talosctl: talosctl -e -n patch mc -p @patch.yaml ``` -This would create a seccomp profile name `audit.json` on the node at `/var/lib/seccomp/profiles`. -Talos automatically bind mounts `/var/lib/seccomp/profiles` into `/var/lib/kubelet/seccomp/profiles` so it can be used by the Kubelet. +This would create a seccomp profile name `audit.json` on the node at `/var/lib/kubelet/seccomp/profiles`. The profiles can be used by Kubernetes pods by specfying the pod `securityContext` as below: @@ -62,7 +61,7 @@ NODE NAMESPACE TYPE ID VERSION The content of the seccomp profile can be viewed by running the below command: ```bash -talosctl -e -n read /var/lib/seccomp/profiles/audit.json +talosctl -e -n read /var/lib/kubelet/seccomp/profiles/audit.json ``` An output similar to below can be observed: