-
Notifications
You must be signed in to change notification settings - Fork 38.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add apparmor and seccomp to PodSecurityPolicy #22159
Comments
With SELinux we made the assumption that your policy across the cluster was either homogenous, or that you were responsible for defining a pattern and applying it and controlling access to nodes. Does the indirection from pod to profile have any particular benefit or disadvantages? For selinux it's been a fairly mechanical range / enforcement usage, although we're starting to ask how to propagate assigned labels from pod to PVC to PV. |
We have this. It is called PodSecurityPolicy. The type is checked in. Enforcement code is not in yet. |
@pweil- any plans to add seccomp support? |
@erictune I'll be able to focus more on this when we close out 1.2 (which mostly corresponds to our 3.2) so likely in after the next sprint. I'd like to add the seccomp support somewhere in the PSP. I haven't thought through where the actual profile lives and how it makes its way to the node if we're not expecting it to be there already. |
Awesome. Since I clearly can't read every PR (sad face), I'll pick a The yaml is going to be pretty mouthy for SELinux:
Could we reduce it to:
In the next cycle we'll need to add apparmor here, and we can discuss the Tim On Mon, Feb 29, 2016 at 10:19 AM, Paul Weil notifications@github.com
|
👍 |
And seccomp modes and filters? On Wed, Mar 2, 2016 at 5:52 AM, Paul Weil notifications@github.com wrote:
|
something like #22419 ? On Wed, Mar 2, 2016 at 5:52 AM, Paul Weil notifications@github.com wrote:
|
Retitled to better reflect current needs :) |
Lemme compare that to On Thu, Mar 3, 2016 at 12:01 AM, Tim Hockin notifications@github.com
|
In podSecurityPolicy: 1. Rename .seLinuxContext to .seLinux 2. Rename .seLinux.type to .seLinux.rule 3. Rename .runAsUser.type to .runAsUser.rule 4. Rename .seLinux.SELinuxOptions 1,2,3 as suggested by thockin in kubernetes#22159. I added 3 for consistency with 2.
Seccomp PSP support is on its way: #28300 |
How does this play with the CRI? https://github.com/kubernetes/kubernetes/blob/master/docs/proposals/container-runtime-interface-v1.md cc @yujuhong ? |
We will have to extend CRI to support this as well. There are a few things in the pipeline that we will need to add later, and this is one of them. Let me file an issue. |
I was speaking with a customer this week who has a fairly established app stack using apparmor. As we explored how to make it work in Kubernetes it dawned on me that, even if the config of an apparmor profile is opaque, the existence of it can be exposed in the API and carried all the way down to container runtime (e.g. Docker).
We could do something like:
Just jotting notes for future work. We'll want to accommodate seccomp before long and who know what else.
The text was updated successfully, but these errors were encountered: