Giter Site home page Giter Site logo

khaledemaradev / kubewarden-policy-psp-apparmor Goto Github PK

View Code? Open in Web Editor NEW

This project forked from kubewarden/apparmor-psp-policy

0.0 0.0 0.0 88 KB

A Kubewarden Pod Security Policy that controls usage of AppArmor profiles

Home Page: https://kubewarden.io

License: Apache License 2.0

Rust 79.34% Makefile 20.66%

kubewarden-policy-psp-apparmor's Introduction

This Kubewarden Policy is a replacement for the Kubernetes Pod Security Policy that controls the usage of AppArmor profiles.

How the policy works

This policy works by defining a whitelist of allowed AppArmor profiles. Pods are then inspected at creation and update time, to ensure only approved profiles are used.

When no AppArmor profile is defined, Kubernetes will leave the final choice to the underlying container runtime. This will result in using the default AppArmor profile provided by Container Runtime. Because of that, the default behaviour of this policy is to accept workloads that do not have an AppArmor profile specified.

Configuration

The policy can be configured with the following data structure:

# list of allowed profiles
allowed_profiles:
- runtime/default
- localhost/my-special-workload

Examples

Do not allow unconfined workloads

Running a container with the unconfined profile is considered a bad security practice.

This can be prevented by using this setting values:

allowed_profiles:
- runtime/default

This configuration would allow these Pods:

apiVersion: v1
kind: Pod
metadata:
  name: hello-apparmor
  annotations:
    container.apparmor.security.beta.kubernetes.io/hello: runtime/default
spec:
  containers:
  - name: hello
    image: busybox
    command: [ "sh", "-c", "echo 'Hello AppArmor!' && sleep 1h" ]
---
apiVersion: v1
kind: Pod
metadata:
  name: hello-apparmor-default-profile
spec:
  containers:
  - name: hello
    image: busybox
    command: [ "sh", "-c", "echo 'Hello AppArmor!' && sleep 1h" ]

While these Pods would not be allowed on the cluster:

apiVersion: v1
kind: Pod
metadata:
  name: hello-unconfined
  annotations:
    container.apparmor.security.beta.kubernetes.io/hello: unconfined
spec:
  containers:
  - name: hello
    image: busybox
    command: [ "sh", "-c", "echo 'Hello AppArmor!' && sleep 1h" ]
---
apiVersion: v1
kind: Pod
metadata:
  name: hello-custom-profile
  annotations:
    container.apparmor.security.beta.kubernetes.io/hello: localhost/my-custom-profile
spec:
  containers:
  - name: hello
    image: busybox
    command: [ "sh", "-c", "echo 'Hello AppArmor!' && sleep 1h" ]

Limit the AppArmor profiles that can be used

The following profile would force all the workloads to either not specify an AppArmor profile (and hence use the default one provided by the Container Runtime) or use one of the approved profiles:

allowed_profiles:
- runtime/default
- localhost/my-custom-profile

This configuration would allow these Pods:

apiVersion: v1
kind: Pod
metadata:
  name: hello-apparmor
  annotations:
    container.apparmor.security.beta.kubernetes.io/hello: runtime/default
spec:
  containers:
  - name: hello
    image: busybox
    command: [ "sh", "-c", "echo 'Hello AppArmor!' && sleep 1h" ]
---
apiVersion: v1
kind: Pod
metadata:
  name: hello-apparmor-default-profile
spec:
  containers:
  - name: hello
    image: busybox
    command: [ "sh", "-c", "echo 'Hello AppArmor!' && sleep 1h" ]
---
apiVersion: v1
kind: Pod
metadata:
  name: hello-apparmor-custom-profile
  annotations:
    container.apparmor.security.beta.kubernetes.io/hello: localhost/my-custom-profile
spec:
  containers:
  - name: hello
    image: busybox
    command: [ "sh", "-c", "echo 'Hello AppArmor!' && sleep 1h" ]

While these Pods would not be allowed on the cluster:

apiVersion: v1
kind: Pod
metadata:
  name: hello-unconfined
  annotations:
    container.apparmor.security.beta.kubernetes.io/hello: unconfined
spec:
  containers:
  - name: hello
    image: busybox
    command: [ "sh", "-c", "echo 'Hello AppArmor!' && sleep 1h" ]
---
apiVersion: v1
kind: Pod
metadata:
  name: hello-unknown-profile
  annotations:
    container.apparmor.security.beta.kubernetes.io/hello: localhost/unknown-profile
spec:
  containers:
  - name: hello
    image: busybox
    command: [ "sh", "-c", "echo 'Hello AppArmor!' && sleep 1h" ]

kubewarden-policy-psp-apparmor's People

Contributors

ereslibre avatar flavio avatar jvanz avatar olblak avatar renovate-bot avatar renovate[bot] avatar viccuad avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.