-
Notifications
You must be signed in to change notification settings - Fork 107
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create AppArmor profile for the operator #65
Comments
I love that! Would the deployment work in the same way like we do in #52? Since the complexity of the init container seems to increase we could think about wrapping it in an own container/binary. 😅 |
Yes, we probably would have to deploy it in the same way as #52. As for its own binary, there are a few issues as we discussed off-line. We could isolate each one of those "self profile deployment" in specific init containers, that could make it easier for easier to opt-out. |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
/remove-lifecycle stale |
@pjbgf do you have any update on this one? |
@saschagrunert I should get something ready this week. |
@saschagrunert we may need to think on a different approach to deploy the operator's own apparmor profile, as I mentioned on the PR and on the k8s issue (kubernetes/kubernetes#97273), the approach taken on seccomp does not work for AppArmor. |
Sounds good, let's put it on the agenda for the community meeting this week. 👍 |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-contributor-experience at kubernetes/community. |
/remove-lifecycle stale |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
/remove-lifecycle stale |
Yes I think this would make sense 👍 |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
/remove-lifecycle stale |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
/remove-lifecycle stale |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
/remove-lifecycle stale |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten |
/remove-lifecycle rotten |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten |
I think now we can use the apparmor in-cluster profile recorder to create/maintain a profile. |
/remove-lifecycle rotten |
What would you like to be added:
A tailor-made AppArmor profile to restrict functionality to the minimum required for the operator to run.
Why is this needed:
Better define the attack surface, giving users a clear view of what the operator can/cannot do.
/area security
/priority important-longterm
The text was updated successfully, but these errors were encountered: