Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Harden the spo and bpf-recorder containers with custom apparmor profiles #2646

Merged
merged 4 commits into from
Jan 22, 2025
Merged

Harden the spo and bpf-recorder containers with custom apparmor profiles #2646

merged 4 commits into from
Jan 22, 2025

Conversation

ccojocar
Copy link
Contributor

What type of PR is this?

/kind feature

What this PR does / why we need it:

This pull request harden the security-profiles-operator and bpf-recorder containers as part of spod daemonset with custom apparmor profiles when apparmor is enabled.
These two containers run in privileged mode when the apparmor is activated.

Which issue(s) this PR fixes:

Fixes #65

Does this PR have test?

Yes

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Harden the security-profiles-operator and bpf-recorder containers with custom apparmor profiles when apparmor is enabled.

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/feature Categorizes issue or PR as related to a new feature. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Dec 23, 2024
@k8s-ci-robot k8s-ci-robot added the size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. label Dec 23, 2024
@ccojocar ccojocar requested review from saschagrunert and removed request for JAORMX and Vincent056 December 23, 2024 16:30
@ccojocar
Copy link
Contributor Author

cc @mhils

@k8s-ci-robot k8s-ci-robot added size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. and removed size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Jan 17, 2025
@ccojocar
Harden the spo and bpf-recorder containers with custom apparmor profiles
3387c17 
Change-Id: Iccb89ec24d4f513acff9d7828dea6a4ab3c33ef1
Signed-off-by: Cosmin Cojocar <[email protected]>
@ccojocar
Fix typos
9cea202 
Change-Id: I8a4f7031c81fe1f47f1a0a55276b415bb6d59732
Signed-off-by: Cosmin Cojocar <[email protected]>
@ccojocar
Update seccomp and apaprmorprofile
e638e83 
Change-Id: Ie5183b2d1f0550ab463f4c3d0fd713d1de6ec39b
Signed-off-by: Cosmin Cojocar <[email protected]>
@ccojocar
Add the missing syscalls in the seccomp profile required to remove pr…
fe5e5d9 
…ofiles

Change-Id: I913f1d20563311b5bb40b5f29293f1235a76a6d3
Signed-off-by: Cosmin Cojocar <[email protected]>
@ccojocar
Copy link
Contributor Author

@saschagrunert Please could you have a look at this? Thanks a lot!

saschagrunert
saschagrunert approved these changes Jan 22, 2025
View reviewed changes
Copy link
Member

@saschagrunert saschagrunert left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jan 22, 2025
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ccojocar, saschagrunert

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [ccojocar,saschagrunert]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot merged commit 8098b14 into main Jan 22, 2025
28 checks passed
@mhils mhils mentioned this pull request Jan 24, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@saschagrunert saschagrunert saschagrunert approved these changes

Assignees

@saschagrunert saschagrunert

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Create AppArmor profile for the operator
3 participants
@ccojocar @k8s-ci-robot @saschagrunert