Comments (6)
I started working on a rough schema definition for this: https://gist.github.com/cmurphy/dc67e2d1214947972f41b7caa2ebf3ae
Going to look into using kubebuilder to translate the yaml into Go and build the controller.
from security-profiles-operator.
Thanks for the comments! I started a rough implementation here: #125
I added KILL_THREAD
but haven't addressed the other questions of whether to include properties from the runtime spec vs docker vs containerd etc yet.
from security-profiles-operator.
cc @cmurphy
from security-profiles-operator.
Awesome, thank you for the update @cmurphy! I’ll give it a look. (cc @pjbgf @hasheddan)
from security-profiles-operator.
I really like the proposal in the GitHub gist! One thing you've already mentioned is that some fields are not part of the runtime spec. Now it gets a bit tricky: The main reason of that is because before the runtime spec even existed, docker invented the original seccomp profile types there:
https://github.com/moby/moby/blob/master/api/types/seccomp.go
(used by docker nowadays and includes the additional fields, like comment
)
But, we also have types there:
- https://github.com/containers/common/blob/master/pkg/seccomp/types.go
used by CRI-O and Podman to not have a need to vendor docker - https://github.com/containerd/containerd/blob/master/contrib/seccomp/seccomp_default.go#L51
used by containerd, I think they only rely onLinuxSeccomp
from the spec and do not use moby's types
I like the idea to just rely on the runtime-spec in the first place, because that's the only one where a common standard exists. On the other hand we have to find a way to express the capability bounding (see includes
, excludes
in your proposal, or here in containerd.
from security-profiles-operator.
Just added some comments directly in the gist, but in short: yes, brilliant stuff from @cmurphy! 👍
@saschagrunert I would agree with your suggestion to start with support for the runtime-spec. If we document that non-OCI fields are only supported on the ConfigMap
implementation we should have no problems.
I have a feeling that most users won't be using things such as includes
/excludes
. But if I am wrong, we can always rely on the community to feedback and ask for it later.
from security-profiles-operator.
Related Issues (20)
- Create an "Enforce on all Pods" option for Seccomp Profile Bindings
- File Descriptor memory leak on selinux socket comms
- How to log only unique syscalls in audit log file - Security-Profiles-Operator HOT 8
- Vagrant based tests are failing HOT 12
- Autogenerated clientset to access SPO seccompprofile CRs HOT 4
- Support for --http2-disable flag in metrics pod HOT 6
- Running e2e tests on OpenShift hang HOT 1
- AKS spod STATE : UPDATING HOT 12
- Release v0.8.1
- getting owner profile: the node status owner is of an unknown kind HOT 3
- Manage SELinux booleans HOT 10
- tolerations not honoured HOT 4
- AKS eBPF recording HOT 15
- Can not re-install SPO HOT 1
- ignore istio init container while eBPF profiling HOT 8
- AppArmor does not work HOT 15
- Release v0.8.2 HOT 1
- [Question] Disable webhook deployment HOT 4
- Seeing Policy Violations HOT 6
- Security Profiles Operator should support dynamic infrastructures HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from security-profiles-operator.