feat(core): Seccomp Profile for Kubearmor #1661
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
PrimalPimmy
force-pushed
the
sec
branch
6 times, most recently
from
a41c14c
to
6e11959
Compare
|
Add an option to not add seccomp to security context of daemonset based on config crd |
PrimalPimmy
force-pushed
the
sec
branch
5 times, most recently
from
19f037b
to
eea4032
Compare
daemon1024
previously approved these changes
Mar 8, 2024
Signed-off-by: PrimalPimmy <Prashant20.pm@gmail.com> Config file added for seccomp path Signed-off-by: PrimalPimmy <Prashant20.pm@gmail.com> reversed config file (will need another approach Signed-off-by: PrimalPimmy <Prashant20.pm@gmail.com> reversed helm value Signed-off-by: PrimalPimmy <Prashant20.pm@gmail.com> reversed config value Signed-off-by: PrimalPimmy <Prashant20.pm@gmail.com> Added license Signed-off-by: PrimalPimmy <Prashant20.pm@gmail.com> feat(operator): check if seccomp path is there Signed-off-by: PrimalPimmy <Prashant20.pm@gmail.com> revert something Signed-off-by: PrimalPimmy <Prashant20.pm@gmail.com> reverting init seccomp Signed-off-by: PrimalPimmy <Prashant20.pm@gmail.com>
Signed-off-by: PrimalPimmy <Prashant20.pm@gmail.com> Fix(init): seccomp added to make init work Signed-off-by: PrimalPimmy <Prashant20.pm@gmail.com> Attempting to fix synk vulns Signed-off-by: PrimalPimmy <Prashant20.pm@gmail.com> synk vuln check Signed-off-by: PrimalPimmy <Prashant20.pm@gmail.com> Custom syscall types added Signed-off-by: PrimalPimmy <Prashant20.pm@gmail.com> chore(update): Licensing and ubi image tests for operator Signed-off-by: PrimalPimmy <Prashant20.pm@gmail.com> fix(seccomp): Liveness probe fix Signed-off-by: PrimalPimmy <Prashant20.pm@gmail.com> revert seccomp tests Signed-off-by: PrimalPimmy <Prashant20.pm@gmail.com>
PrimalPimmy
force-pushed
the
sec
branch
3 times, most recently
from
cbf9589
to
98e419e
Compare
|
Won't squash these 3 commits, might need them for reference |
rksharma95
reviewed
Mar 8, 2024
Signed-off-by: PrimalPimmy <Prashant20.pm@gmail.com> Clean up and fixes Signed-off-by: PrimalPimmy <Prashant20.pm@gmail.com> Config logic fix Signed-off-by: PrimalPimmy <Prashant20.pm@gmail.com> Seperated config map Signed-off-by: PrimalPimmy <Prashant20.pm@gmail.com>
daemon1024
approved these changes
Mar 8, 2024
24 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Purpose of PR?:
Part of securing kubearmor in issue #1186
This PR introduces seccomp profile for both kubearmor and kubearmor-init container, by only allowing necessary syscalls needed by Kubearmor to run and function properly.
Does this PR introduce a breaking change?
Although there may not be any breaking change, we may need to be on the lookout incase we missed to whitelist any necessary syscall.
Additional information for reviewer? :
Couple of things that still needs to be done:
Define custom Kubelet directory incase it is different than default (Default isAlso will be done later. Seccomp will simply not load but kubearmor will run normally if path is different, and that's okay for now/var/lib/kubelet/seccomp)Runtime default seccomp for all other Kubearmor pods.Will be done in another PR/releaseChecklist:
<type>(<scope>): <subject>