Possibly incorrect "spec.securityContext: Additional property seccompProfile is not allowed" error
hasakura12 opened this issue · 3 comments
hasakura12 commented
Your question
I added Seccomp profile to spec.securityContext as below:
apiVersion: v1
kind: Pod
metadata:
spec:
securityContext:
seccompProfile:
type: RuntimeDefaultAnd I scanned the yaml using kubesec
docker run -i kubesec/kubesec:v2 scan /dev/stdin < pod.yamlThen I got the below error
[
{
"object": "Pod/6db7ff88bc-b4sjp.prod",
"valid": false,
"fileName": "STDIN",
"message": "spec.securityContext: Additional property seccompProfile is not allowed ",
"score": 0,
"scoring": {}
}
]I'm not sure why it says it's not allowed.
kubectl explain outputs seccompProfile as a correct attribute:
$ k explain pod.spec.securityContext
KIND: Pod
VERSION: v1
RESOURCE: securityContext <Object>
DESCRIPTION:
SecurityContext holds pod-level security attributes and common container
settings. Optional: Defaults to empty. See type description for default
values of each field.
PodSecurityContext holds pod-level security attributes and common container
settings. Some fields are also present in container.securityContext. Field
values of container.securityContext take precedence over field values of
PodSecurityContext.
FIELDS:
seccompProfile <Object>
The seccomp options to use by the containers in this pod.Any idea why?
Additional context
Add any other context about your question here.
Magier commented
I haven't looked under the hood, but my guess is, this error is a consequence of #224 . In Kubernetes v1.18 seccomp was configured via an annotation an not as a field in the securityContext. Kubesec seems to stop scanning a file when it's not valid according to a predefined schema.
Yanofnasr commented
Any updates regarding this issue?