Comments (10)
JAORMX
commented on June 21, 2024
I don't think we'd explicitly need a CRD for this. I think it would be appropriate to add such a configuration to the SPOD CRD instead.
from security-profiles-operator.
saschagrunert
commented on June 21, 2024
@JAORMX is there a list of booleans we should support? Or should we just use a plain map of enabled/disabled booleans and error with an event if they're not supported?
from security-profiles-operator.
JAORMX
commented on June 21, 2024
I don't have a list ready from the top of my head. The tricky thing is that a given system might have many. It would surely be easier just to take a plain map and issue an event if it's not supported. But that doesn't provide for great usability, as an administrator wouldn't have a good notion of what's available. On the other hand, adding the available booleans as a status would also be quite overwhelming. I don't have a good answer for this... The best thing I can think of is having the SPOD output the booleans to a configmap, and store the config map reference in the SPOD's status.
If we merely want to have support for folks easily toggling booleans, the plain map is the best I can think of.
from security-profiles-operator.
JAORMX
commented on June 21, 2024
@saschagrunert I think the best thing is to come up with concrete examples of what folks would normally need to toggle and optimize for that in the beginning.
from security-profiles-operator.
saschagrunert
commented on June 21, 2024
@JAORMX sounds good to me! I'm not sure if the list of available booleans would vary across systems, then we could not plainly sync them from a config map or status field.
Having a plain map which the SPO tries to enforce seems the best way forward, though.
from security-profiles-operator.
JAORMX
commented on June 21, 2024
@saschagrunert the booleans will vary accross systems depending on what policy they're based on. Basically, there are two main SELinux base policy groups out there:
- Upstream SELinux-based
- Fedora-based
They have variations in how policies are implemented and some booleans may also vary.
The ConfigMap outputting the booleans could be merely a status implementation... if nothing else.
from security-profiles-operator.
k8s-triage-robot
commented on June 21, 2024
The Kubernetes project currently lacks enough contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied - After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied - After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closed
You can:
- Mark this issue as fresh with
/remove-lifecycle stale - Close this issue with
/close - Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
from security-profiles-operator.
k8s-triage-robot
commented on June 21, 2024
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied - After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied - After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closed
You can:
- Mark this issue as fresh with
/remove-lifecycle rotten - Close this issue with
/close - Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle rotten
from security-profiles-operator.
k8s-triage-robot
commented on June 21, 2024
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.
This bot triages issues according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied - After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied - After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closed
You can:
- Reopen this issue with
/reopen - Mark this issue as fresh with
/remove-lifecycle rotten - Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/close not-planned
from security-profiles-operator.
k8s-ci-robot
commented on June 21, 2024
@k8s-triage-robot: Closing this issue, marking it as "Not Planned".
In response to this:
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.
This bot triages issues according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied- After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied- After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closedYou can:
- Reopen this issue with
/reopen- Mark this issue as fresh with
/remove-lifecycle rotten- Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/close not-planned
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
from security-profiles-operator.
Related Issues (20)
- Release v0.8.1
- getting owner profile: the node status owner is of an unknown kind HOT 3
- tolerations not honoured HOT 4
- AKS eBPF recording HOT 15
- Can not re-install SPO HOT 1
- ignore istio init container while eBPF profiling HOT 8
- AppArmor does not work HOT 15
- Release v0.8.2 HOT 1
- [Question] Disable webhook deployment HOT 4
- Seeing Policy Violations HOT 7
- Security Profiles Operator should support dynamic infrastructures HOT 4
- Release v0.8.3 HOT 1
- deletion of a `SelinuxProfile` object hangs forever HOT 6
- Proposal: Allow `spoc` to simultaneously record different profile types. HOT 2
- Release v0.8.4 HOT 10
- OLM tests are flaking HOT 3
- Question: Distributing policies with images? HOT 4
- AppArmor Profile not activated.
- Update kubectl command in security-profiles-operator documentation HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from security-profiles-operator.