third_party/go/patches/k8s-revert-seccomp-runtime-default.patch - monogon - Gitiles

 Copyright 2020 The Monogon Project Authors.

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at

   http://www.apache.org/licenses/LICENSE-2.0

 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.


 From 2adf4ec9796839014a708761b8fb6ad815306def Mon Sep 17 00:00:00 2001
 From: Serge Bazanski <serge@nexantic.com>
 Date: Tue, 26 Jan 2021 11:37:01 +0100
 Subject: [PATCH] Manually revert
  https://github.com/kubernetes/kubernetes/pull/90949

 This reverts PR 90494 which breaks runc within Metropolis. See T916.

 ---
  pkg/kubelet/kuberuntime/kuberuntime_sandbox.go | 7 ++-----
  1 file changed, 2 insertions(+), 5 deletions(-)

 diff --git a/pkg/kubelet/kuberuntime/kuberuntime_sandbox.go b/pkg/kubelet/kuberuntime/kuberuntime_sandbox.go
 index 0978044f753..c46436f2a41 100644
 --- a/pkg/kubelet/kuberuntime/kuberuntime_sandbox.go
 +++ b/pkg/kubelet/kuberuntime/kuberuntime_sandbox.go
 @@ -148,11 +148,8 @@ func (m *kubeGenericRuntimeManager) generatePodSandboxLinuxConfig(pod *v1.Pod) (
  	lc := &runtimeapi.LinuxPodSandboxConfig{
  		CgroupParent: cgroupParent,
  		SecurityContext: &runtimeapi.LinuxSandboxSecurityContext{
 -			Privileged: kubecontainer.HasPrivilegedContainer(pod),
 -
 -			// Forcing sandbox to run as `runtime/default` allow users to
 -			// use least privileged seccomp profiles at pod level. Issue #84623
 -			SeccompProfilePath: v1.SeccompProfileRuntimeDefault,
 +			Privileged:         kubecontainer.HasPrivilegedContainer(pod),
 +			SeccompProfilePath: m.getSeccompProfile(pod.Annotations, "", pod.Spec.SecurityContext, nil),
  		},
  	}

 --
 2.26.2
	Copyright 2020 The Monogon Project Authors.

	Licensed under the Apache License, Version 2.0 (the "License");
	you may not use this file except in compliance with the License.
	You may obtain a copy of the License at

	http://www.apache.org/licenses/LICENSE-2.0

	Unless required by applicable law or agreed to in writing, software
	distributed under the License is distributed on an "AS IS" BASIS,
	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	See the License for the specific language governing permissions and
	limitations under the License.


	From 2adf4ec9796839014a708761b8fb6ad815306def Mon Sep 17 00:00:00 2001
	From: Serge Bazanski <serge@nexantic.com>
	Date: Tue, 26 Jan 2021 11:37:01 +0100
	Subject: [PATCH] Manually revert
	https://github.com/kubernetes/kubernetes/pull/90949

	This reverts PR 90494 which breaks runc within Metropolis. See T916.

	---
	pkg/kubelet/kuberuntime/kuberuntime_sandbox.go \| 7 ++-----
	1 file changed, 2 insertions(+), 5 deletions(-)

	diff --git a/pkg/kubelet/kuberuntime/kuberuntime_sandbox.go b/pkg/kubelet/kuberuntime/kuberuntime_sandbox.go
	index 0978044f753..c46436f2a41 100644
	--- a/pkg/kubelet/kuberuntime/kuberuntime_sandbox.go
	+++ b/pkg/kubelet/kuberuntime/kuberuntime_sandbox.go
	@@ -148,11 +148,8 @@ func (m kubeGenericRuntimeManager) generatePodSandboxLinuxConfig(pod v1.Pod) (
	lc := &runtimeapi.LinuxPodSandboxConfig{
	CgroupParent: cgroupParent,
	SecurityContext: &runtimeapi.LinuxSandboxSecurityContext{
	- Privileged: kubecontainer.HasPrivilegedContainer(pod),
	-
	- // Forcing sandbox to run as `runtime/default` allow users to
	- // use least privileged seccomp profiles at pod level. Issue #84623
	- SeccompProfilePath: v1.SeccompProfileRuntimeDefault,
	+ Privileged: kubecontainer.HasPrivilegedContainer(pod),
	+ SeccompProfilePath: m.getSeccompProfile(pod.Annotations, "", pod.Spec.SecurityContext, nil),
	},
	}

	--
	2.26.2