Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Should apparmor always view unconfined as complaint? #475

Open
fseldow opened this issue Feb 2, 2024 · 4 comments
Open

Should apparmor always view unconfined as complaint? #475

fseldow opened this issue Feb 2, 2024 · 4 comments
Labels
stale

Comments

@fseldow
Copy link
Contributor

fseldow commented Feb 2, 2024

Hi gatekeeper-library,
In apparmor constraint template, we setup the rule to block container using apparmor not existed in the parameter allowedProfiles
https://github.com/open-policy-agent/gatekeeper-library/blob/master/library/pod-security-policy/apparmor/template.yaml

However, in the apparmor api doc, it is said unconfined to indicate that no profiles will be loaded So will it be reasonable to view unconfined as always complaint even if the allowedProfiles is empty or without unconfined?
@fseldow fseldow mentioned this issue Feb 2, 2024
Closed
@apeabody
Copy link
Contributor

apeabody commented Apr 3, 2024
edited

Hi @fseldow! - Not specific to unconfined, but for backwards compatibility we want to preserve the templates existing behavior. So any potentially breaking change would probably need to be gated with a new parameter, for which the default would maintain the template's current behavior.

@fseldow
Copy link
Contributor Author

fseldow commented Apr 4, 2024
edited

Hi @apeabody thx for discussion.
In my draft pr: https://github.com/open-policy-agent/gatekeeper-library/pull/476/files#diff-12f0a346e8a71d42c3220276be2c51872b8195d0838c33ec2a24d09657c74937

The result change will happen only when input parameter does not include unconfined but the container is set as unconfined. We used to view it as non-complaint. After the change it will become complaint.
In other word, the parameter allowedProfile will by default include unconfined then

Will it also be viewed as breaking change? because from my side, it will not suddenly casue complaint resources to be non-complaint or deny the curd of pods

@ritazh
Copy link
Member

ritazh commented Apr 4, 2024

Thanks for raising this @fseldow!
After looking at the docs, if this annotation is set to unconfined for a specific container, it means that the container will not be subject to any AppArmor profile restrictions. This configuration effectively disables AppArmor protection for the container, allowing it to run with the default permissions and capabilities granted by the Kubernetes cluster and the underlying operating system.

+1 to adding a new parameter in the policy to enable this behavior to allow compliance for unconfined, while ensuring the default behavior when the new parameter is no set is non compliant.

@stale Stale
Copy link

stale bot commented Jun 7, 2024

This issue/PR has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Jun 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
stale
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

policy allowed apparmor always allow unconfined fseldow/gatekeeper-library
3 participants
@ritazh @apeabody @fseldow