Custom seccomp profiles with karydia

[Neumann-Nils]

Description

To create and install a custom seccomp profile is quite time-consuming and complex (see #135). Thus, karydia should provide an easy and appealing solution to install and deploy your custom seccomp profile on each node.

User Story

As a user I want to use karydia to easily install and deploy my custom seccomp profiles in order to secure my clusters.

Implementation idea

For this feature, following parts should be done:

• [x] Allow a user to save their custom seccomp profiles to a specific folder within the karydia installation
• [x] Deploy and install the custom seccomp profiles on each node while karydia is installed
• [x] If a new node is created, also deploy the seccomp profiles on this node
• [x] Allow an easy configuration in the "values.yaml"
• [x] Document this feature

[Neumann-Nils]

When new nodes are introduced, the daemonset will create pods accordingly (see https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/).

However, a daemonset currently does not support the "restartPolicy" never, which would be needed to create a pod that runs only once and gets terminated afterwards. However, this feature seems to be in progress:

• https://github.com/kubernetes/kubernetes/issues/64623
• https://github.com/kubernetes/kubernetes/issues/36601

If it gets implemented, it would allow us to create a daemonset that spins up a pod only once, copy and paste the custom seccomp profiles and terminates afterwards.

[Neumann-Nils]

One could also register on the event of node creation (using our webhook functionality) and spin up a pod on this node that copies the custom seccomp profiles manually.

[Neumann-Nils]

A workaround would be, to keep the pod alive and do nothing (e.g. while sleep 3600). This would also result in the pod only be started once for each node (see: https://github.com/cloudfoundry-community/eirini-bosh-release/pull/37).