Open alan2112000 opened 11 months ago
I'm not aware of anything specific to AL2 that would cause this. Are you able to reproduce it on a different distro, like the EKS Ubuntu AMI?
With same environment I mentioned above (1.27), I used EKS ubuntu AMI I cannot reproduce the bug. I event don't have to add any new syscalls into the seccomp profile to make it works.
Environment
AMI Version: ubuntu-eks/k8s_1.27/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20230628
Kernel: 5.15.0-1039-aws
Release Information(run cat /etc/lsb-release
)
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=20.04
DISTRIB_CODENAME=focal
DISTRIB_DESCRIPTION="Ubuntu 20.04.6 LTS"
What happened: The syscalls in the seccomp did not be allowed to use in pod. We are using playwright to crawl website and I followed the instruction, to create seccomp profile and apply to the pod. It works in our legacy environment AWS Region: us-west-2 Kubernetes Version: 1.21 EKS Version: eks.20 Instance Type: r5.large AMI: amazon-eks-node-1.21-v20220406
After upgraded the cluster to 1.27 and
amazon-eks-node-1.27-v20230816
AMI, there are three types of syscalls show in audit.logAccording to the syscalls table
I added
into seccomp profile, but only the 330 audit log is gone.
What you expected to happen:
seccomp profile should work for new syscalls 435 439, so I can change the action to
SCMP_ACT_ERRNO
.How to reproduce it (as minimally and precisely as possible):
Anything else we need to know?:
Environment
uname -a
): 5.10.186-179.751.amzn2.x86_64cat /etc/eks/release
on a node):