install.md
October 12, 2022 ยท View on GitHub
Seccomp Agent is a DaemonSet deployed in the cluster and relies on new features in runc.
Installing Seccomp Agent
System Requirements:
- Linux kernel >= 5.9
- Libseccomp >= 2.5.2 (>=2.5.2 recommended)
- Runc >= 1.1.0
- Docker from git(needs to include this PR)
- Or if you are using containerd instead of docker, containerd >=1.5.5(>=1.6.0-rc.1 recommended)
Recommended:
- Flatcar Container Linux >= 3127.0.0
- containerd >= 1.6.0-rc1
- Security Profiles Operator (SPO) >= v0.4.1 (unreleased) or from git main
To ensure you have installed correct version of container runtime that support seccomp notify, use the command below:
strings $(which dockerd) | grep listenerPath
or if you are using containerd as your runtime
strings $(which containerd) | grep listenerPath
If the output is empty, it means your container runtime haven't enabled the feature of seccomp notify. Please check the requirements again in case you missed one.
With Typhoon on Azure
In the docs/terraform directory, you can find terraform files to start a
Kubernetes cluster with the required dependencies.
Please see the Azure tutorial from the Typhoon documentation.
Deploy the Seccomp Agent DaemonSet
kubectl apply -f deploy/seccompagent.yaml
Deploy a pod with a Seccomp Profile
If you use the Security Profiles Operator (SPO), you can deploy a Seccomp Profile with kubectl:
kubectl apply -f docs/profiles/notify-dangerous.yaml
Otherwise, you can install docs/profiles/notify-dangerous.json on the worker
nodes manually, in the /var/lib/kubelet/seccomp/ directory.
Start a new pod:
kubectl apply -f docs/examples/pod.yaml