Skip to content

Commit bad9895

Browse files
dwahlerdwahler
authored
feat: add docs for seccompProfile workspace template fields (#1130)
1 parent 089544b commit bad9895

File tree

1 file changed

+45
-0
lines changed

1 file changed

+45
-0
lines changed

workspaces/workspace-templates/templates.md

Lines changed: 45 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -64,6 +64,10 @@ workspace:
6464
value:
6565
- key: annotation-key
6666
value: annotation-value
67+
seccomp-profile-type:
68+
value: Localhost
69+
seccomp-profile-localhost-profile:
70+
value: profiles/custom-profile.json
6771
configure:
6872
start:
6973
value:
@@ -262,6 +266,47 @@ node-selector:
262266

263267
`node-selector` is disabled by default and must be enabled by a site admin.
264268

269+
#### workspace.specs.kubernetes.seccomp-profile-type.value
270+
271+
Applies a [seccomp profile](https://kubernetes.io/docs/tutorials/security/seccomp/)
272+
to the workspace pod. The value is a string, corresponding to the `type`
273+
subfield of the PodSecurityContext `seccompProfile` attribute.
274+
275+
For example, the following snippet would explicitly disable seccomp protection:
276+
277+
```yaml
278+
seccomp-profile-type:
279+
value: Unconfined
280+
```
281+
282+
`seccomp-profile-type` is disabled by default and must be enabled by a site
283+
admin.
284+
285+
#### workspace.specs.kubernetes.seccomp-profile-localhost-profile.value
286+
287+
Applies a custom [seccomp profile](https://kubernetes.io/docs/tutorials/security/seccomp/)
288+
to the workspace pod. The value is a string, corresponding to the
289+
`localhostProfile` subfield of the PodSecurityContext `seccompProfile`
290+
attribute.
291+
292+
Per the [Kubernetes
293+
documentation](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#seccompprofile-v1-core),
294+
this attribute is only valid if used in combination with the `Localhost` seccomp
295+
profile type. Its value must correspond to the path of a valid JSON profile that
296+
is already configured on the Kubernetes worker nodes.
297+
298+
The following snippet demonstrates setting a custom profile:
299+
300+
```yaml
301+
seccomp-profile-type:
302+
value: Localhost
303+
seccomp-profile-localhost-profile:
304+
value: profiles/my-custom-profile.json
305+
```
306+
307+
`seccomp-profile-localhost-profile` is disabled by default and must be enabled
308+
by a site admin.
309+
265310
#### workspace.configure
266311

267312
This section lists the commands that run within the workspace after Coder builds

0 commit comments

Comments
 (0)