Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create AppArmor profile for the operator #65

Open
pjbgf opened this issue Aug 4, 2020 · 30 comments
Open

Create AppArmor profile for the operator #65

pjbgf opened this issue Aug 4, 2020 · 30 comments
Assignees
@pjbgf
Labels
area/security Issues or PRs related to security aspects of the operator kind/feature Categorizes issue or PR as related to a new feature. lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete.

Comments

@pjbgf
Copy link
Member

pjbgf commented Aug 4, 2020

What would you like to be added:

A tailor-made AppArmor profile to restrict functionality to the minimum required for the operator to run.

Why is this needed:

Better define the attack surface, giving users a clear view of what the operator can/cannot do.

/area security
/priority important-longterm
@pjbgf pjbgf added the kind/feature Categorizes issue or PR as related to a new feature. label Aug 4, 2020
@k8s-ci-robot k8s-ci-robot added area/security Issues or PRs related to security aspects of the operator priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. labels Aug 4, 2020
@saschagrunert
Copy link
Member

I love that! Would the deployment work in the same way like we do in #52?

Since the complexity of the init container seems to increase we could think about wrapping it in an own container/binary. 😅

@pjbgf pjbgf self-assigned this Aug 7, 2020
@pjbgf
Copy link
Member Author

pjbgf commented Aug 7, 2020

Yes, we probably would have to deploy it in the same way as #52.

As for its own binary, there are a few issues as we discussed off-line. We could isolate each one of those "self profile deployment" in specific init containers, that could make it easier for easier to opt-out.

@saschagrunert saschagrunert added this to the v0.2.0 milestone Aug 13, 2020
@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Nov 11, 2020
@pjbgf
Copy link
Member Author

pjbgf commented Nov 19, 2020

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Nov 19, 2020
@saschagrunert
Copy link
Member

@pjbgf do you have any update on this one?

@saschagrunert saschagrunert modified the milestones: v0.2.0, v0.3.0 Dec 3, 2020
@pjbgf
Copy link
Member Author

pjbgf commented Dec 7, 2020

@saschagrunert I should get something ready this week.

@pjbgf pjbgf mentioned this issue Dec 14, 2020
Closed
@pjbgf
Copy link
Member Author

pjbgf commented Dec 14, 2020

@saschagrunert we may need to think on a different approach to deploy the operator's own apparmor profile, as I mentioned on the PR and on the k8s issue (kubernetes/kubernetes#97273), the approach taken on seccomp does not work for AppArmor.

@saschagrunert
Copy link
Member

@saschagrunert we may need to think on a different approach to deploy the operator's own apparmor profile, as I mentioned on the PR and on the k8s issue (kubernetes/kubernetes#97273), the approach taken on seccomp does not work for AppArmor.

Sounds good, let's put it on the agenda for the community meeting this week. 👍

@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Apr 11, 2021
@saschagrunert saschagrunert modified the milestones: v0.3.0, v0.4.0 Apr 26, 2021
@pjbgf
Copy link
Member Author

pjbgf commented May 18, 2021

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label May 18, 2021
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Aug 16, 2021
@pjbgf
Copy link
Member Author

pjbgf commented Aug 20, 2021

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Aug 20, 2021
@saschagrunert saschagrunert removed this from the v0.4.0 milestone Oct 15, 2021
@pjbgf pjbgf mentioned this issue Nov 17, 2021
Merged
@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Apr 10, 2022
@pjbgf
Copy link
Member Author

pjbgf commented Apr 10, 2022
edited
Loading

@pjbgf I assume we prefer the kube-native way? Would it be possible to apply the profile only on specific kubernetes versions by checking it before deploying the daemon?

@saschagrunert yes, I think we are better off doing kube-native, which in this case would mean deploying the profile in a container init.
Now I am not sure how we would check the Kubernetes version to be honest. The changes upstream affected the Kubelet iirc, so this could mean that nodes in different version could break. Potentially the daemonset could just check "is my AppAmor profile loaded? If so, use it, otherwise fall-back to default".

@pjbgf
Copy link
Member Author

pjbgf commented Apr 10, 2022

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Apr 10, 2022
@saschagrunert
Copy link
Member

Potentially the daemonset could just check "is my AppAmor profile loaded? If so, use it, otherwise fall-back to default".

Yes I think this would make sense 👍

@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jul 10, 2022
@pjbgf
Copy link
Member Author

pjbgf commented Jul 10, 2022

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jul 10, 2022
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Oct 8, 2022
@pjbgf
Copy link
Member Author

pjbgf commented Oct 10, 2022

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Oct 10, 2022
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 8, 2023
@pjbgf
Copy link
Member Author

pjbgf commented Jan 9, 2023

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 9, 2023
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Apr 9, 2023
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle rotten
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels May 9, 2023
@vaibhav2107
Copy link
Contributor

/remove-lifecycle rotten

@k8s-ci-robot k8s-ci-robot removed the lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. label Sep 27, 2023
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 29, 2024
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle rotten
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Feb 28, 2024
@ccojocar
Copy link
Contributor

I think now we can use the apparmor in-cluster profile recorder to create/maintain a profile.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pjbgf pjbgf

Labels
area/security Issues or PRs related to security aspects of the operator kind/feature Categorizes issue or PR as related to a new feature. lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Create an AppArmor profile for the operator pjbgf/security-profiles-operator
7 participants
@ccojocar @saschagrunert @pjbgf @k8s-ci-robot @fejta-bot @k8s-triage-robot @vaibhav2107