serving: Seccomp profile in queue-proxy incompatible with gvisor

What version of Knative?

1.8.0

Expected Behavior

Pods should be able to start on GKE nodes running gvisor.

Actual Behavior

Gvisor refuses to allow the pods to start as a seccomp profile has been set, the following error is shown in events which refuses to allow the pod to start:

Seccomp is not supported

https://github.com/knative/serving/pull/13376 added the config below to queue-proxy containers by default, however gvisor won’t allow any profile or even a blank profile to be set.

          seccompProfile:
            type: RuntimeDefault

Maybe this could be configurable in a config map whether it gets added to the queue proxy?

Steps to Reproduce the Problem

Create a Knative service running on node running gvisor on a cluster running Knative 1.8.0.

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Comments: 16 (10 by maintainers)

Most upvoted comments

I created a PR to address a)

I think b) would be covered by Evan’s PR https://github.com/knative/serving/pull/13398

+2
dprotaso on Nov 24, 2022

Looks like knative rolled this back, but anyways per the GKE bug tracker RuntimeDefault and Unconfined are allowed in GKE Sandbox starting in 1.26.

+1
kevinGC on Dec 6, 2022
Read more comments on GitHub
← serving: RevisionFailed when ServiceAccount references a non-existing imagePullSecret
serving: Service getting scaled down on Timeout before Timeout? →