-
Notifications
You must be signed in to change notification settings - Fork 337
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore: add docker-compose file for securing unorchestrated container and hosts #1790
base: main
Are you sure you want to change the base?
Conversation
Signed-off-by: Navin Chandra <navinchandra772@gmail.com>
Signed-off-by: Navin Chandra <navinchandra772@gmail.com>
Signed-off-by: Navin Chandra <navinchandra772@gmail.com>
@navin772 did we test this out? Does everything work as expected? Can you try running your test suite against this? |
@daemon1024 I will run the tests and share the results, also do we need a CI for docker mode? |
@navin772 eventually yes, if you think it's easy to handle let's do it. But let's keep it in a separate PR. The CI would need to run on BPFLSM runner since we don't have first class AppArmor support |
it might lead to continuous container spin ups if kubearmor fails to start Signed-off-by: Navin Chandra <navinchandra772@gmail.com>
@daemon1024 I tested this on the non-k8s HSP test suite and the tests pass except one (enforcement works but the policy name is not matching). Currently, just for testing I ran the docker compose file in CI (which pulls the stable images) but we should be building the docker images first and then testing them. |
@daemon1024 @DelusionalOptimist this is the workflow that I ran to test in docker mode - workflow. I will add the |
Purpose of PR?:
Fixes #1341
Does this PR introduce a breaking change?
If the changes in this PR are manually verified, list down the scenarios covered:
Explicitly adding the capabilities via
cap_add
and removing theprivileged: true
field gives error.Additional information for reviewer? :
Mention if this PR is part of any design or a continuation of previous PRs
Suggest tag to be used for
kubearmor/kubearmor
image - latest or stable?Documentation added for docker compose usage.
Checklist:
<type>(<scope>): <subject>