Test of seccomp profile "docker/default" fails

[dongsupark]

There are many seccomp tests that fail. One of the simple examples is the test "should support seccomp docker/default on the container".

• Failure [4.215 seconds]
[k8s.io] Security Context
/home/dpark/go/src/github.com/kubernetes-incubator/cri-tools/pkg/framework/framework.go:72
  SeccompProfilePath
  /home/dpark/go/src/github.com/kubernetes-incubator/cri-tools/pkg/validate/security_context.go:410
    docker/default
    /home/dpark/go/src/github.com/kubernetes-incubator/cri-tools/pkg/validate/security_context.go:559
      should support seccomp docker/default on the container [It]
      /home/dpark/go/src/github.com/kubernetes-incubator/cri-tools/pkg/validate/security_context.go:560

      Expected
          <string>: Seccomp:    0

      to contain substring
          <string>: 2

      /home/dpark/go/src/github.com/kubernetes-incubator/cri-tools/pkg/validate/security_context.go:906

That means basically that /proc/self/status shows Seccomp: 0 (not in seccomp mode). As rkt already supports the default seccomp profile docker/default, I'm not sure I understand.

On the other hand, not all seccomp tests fail. For example, the test runtime should support setting hostname with docker/default seccomp profile and SYS_ADMIN succeeds. Strange.

[iaguis]

I think the problem is related to how we implement seccomp in the rktlet.

In https://github.com/kubernetes-incubator/rktlet/commit/8088ab5394eb26cf77f56c5cd5adad1eebf505a3 I implemented the forwarding of seccomp options, but I only did it through annotations since that's what's implemented in v1.7.x. However, later (in v1.8.0) they moved it to a field in SecurityContext, which is what should support seccomp docker/default on the container is using. I'm not sure why the other seccomp tests pass.

Even though the cri-tools readme says "We are currently working toward an alpha version of CRI validation tests to be used in conjunction with Kubernetes 1.7.", it seems cri-tools v0.2 bumps the CRI interface to v1.8.