Closed iaguis closed 5 years ago
iaguis
commented
6 years ago Note that the runtime spec is more flexible than rkt regarding seccomp. For example, it can specify a per-syscall behavior (return errno, send signal...). rkt has this limitation because it uses systemd directives in the service files for apps in a pod.
To avoid these kind of issues, using runc as the stage2 execution environment was discussed in https://github.com/rkt/rkt/issues/3408.
fejta-bot
commented
5 years ago Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /lifecycle stale
fejta-bot
commented
5 years ago Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /lifecycle rotten
fejta-bot
commented
5 years ago Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /close
k8s-ci-robot
commented
5 years ago @fejta-bot: Closing this issue.
Kubernetes supports specifying custom seccomp profiles by passing
localhost/PROFILE_NAME, with profiles being by default in/var/lib/kubelet/seccompon the host. The format of the custom profiles is defined in the runtime spec.We're currently erroring out if we find a custom profile but we should handle them.