Skip to content
main
Switch branches/tags
Code

Latest commit

Bumps [k8s.io/client-go](https://github.com/kubernetes/client-go) from 0.23.1 to 0.23.2.
- [Release notes](https://github.com/kubernetes/client-go/releases)
- [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md)
- [Commits](kubernetes/client-go@v0.23.1...v0.23.2)

---
updated-dependencies:
- dependency-name: k8s.io/client-go
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
81644f3

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
api
 
 
 
 
doc
 
 
 
 
 
 
 
 
nix
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Kubernetes Security Profiles Operator

build test coverage CII Best Practices

This project is the starting point for the Security Profiles Operator (SPO), an out-of-tree Kubernetes enhancement which aims to make it easier for users to use SELinux, seccomp and AppArmor in Kubernetes clusters.

About

The motivation behind the project can be found in the corresponding RFC.

Related Kubernetes Enhancement Proposals (KEPs) which have direct influence on this project:

Next to those KEPs, here are existing approaches for security profiles in the Kubernetes world:

Features

The SPO's features are implemented for each one of the underlying supported technologies, namely: Seccomp, SELinux and AppArmor. Here's the feature parity status across them:

Seccomp SELinux AppArmor
Profile CRD Yes Yes Yes
ProfileBinding Yes No No
Deploy profiles into nodes Yes Yes WIP
Remove profiles no longer in use Yes Yes WIP
Profile Auto-generation (logs) Yes WIP No
Profile Auto-generation (ebpf) Yes No No
Audit log enrichment Yes WIP Yes

For information about the security model and what permissions each features requires, refer to SPO's security model.

Personas & User Stories

As any other piece of software, this operator is meant to help people. Thus, the target personas have been reflected in a document in this repo.

The functionality that this operator is meant to enable is captured as user stories. If you feel that a user story is not captured properly, feel free to submit a Pull Request. The team will be more than happy to review and help you reflect the requirement.

Roadmap

The project tries to not overlap with those existing implementations to provide valuable additions in a more secure Kubernetes context. We created a mind map to get a better feeling about all features we want to implement to better support some security areas within Kubernetes:

mind-map

Going forwards, the operator will extend its purpose to assist Kubernetes users to create, distribute and apply security profiles for seccomp, AppArmor, SeLinux, PodSecurityPolicies and RBAC permissions.

Community, discussion, contribution, and support

We schedule a monthly meeting every last Thursday of a month.

Learn how to engage with the Kubernetes community on the community page.

You can reach the maintainers of this project at:

Code of conduct

Participation in the Kubernetes community is governed by the Kubernetes Code of Conduct.