third_party/go/patches/k8s-revert-seccomp-runtime-default.patch

Copyright 2020 The Monogon Project Authors.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

  http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.


From 2adf4ec9796839014a708761b8fb6ad815306def Mon Sep 17 00:00:00 2001
From: Serge Bazanski <serge@nexantic.com>
Date: Tue, 26 Jan 2021 11:37:01 +0100
Subject: [PATCH] Manually revert 
 https://github.com/kubernetes/kubernetes/pull/90949

This reverts PR 90494 which breaks runc within Metropolis. See T916.

---
 pkg/kubelet/kuberuntime/kuberuntime_sandbox.go | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/pkg/kubelet/kuberuntime/kuberuntime_sandbox.go b/pkg/kubelet/kuberuntime/kuberuntime_sandbox.go
index 0978044f753..c46436f2a41 100644
--- a/pkg/kubelet/kuberuntime/kuberuntime_sandbox.go
+++ b/pkg/kubelet/kuberuntime/kuberuntime_sandbox.go
@@ -148,11 +148,8 @@ func (m *kubeGenericRuntimeManager) generatePodSandboxLinuxConfig(pod *v1.Pod) (
 	lc := &runtimeapi.LinuxPodSandboxConfig{
 		CgroupParent: cgroupParent,
 		SecurityContext: &runtimeapi.LinuxSandboxSecurityContext{
-			Privileged: kubecontainer.HasPrivilegedContainer(pod),
-
-			// Forcing sandbox to run as `runtime/default` allow users to
-			// use least privileged seccomp profiles at pod level. Issue #84623
-			SeccompProfilePath: v1.SeccompProfileRuntimeDefault,
+			Privileged:         kubecontainer.HasPrivilegedContainer(pod),
+			SeccompProfilePath: m.getSeccompProfile(pod.Annotations, "", pod.Spec.SecurityContext, nil),
 		},
 	}
 
-- 
2.26.2