README
¶
Seccomp Profile Distribution Controller
This is a work in progress.
This provides a CRD and controller components to distribute seccomp profiles to nodes, automating the process described in Kubernetes docs: https://kubernetes.io/docs/tutorials/security/seccomp
Seccomp profiles allow users to audit or limit system calls ("syscalls") used by containers.
Try it out
If you don't have a cluster, you can create one with KinD:
kind create cluster --config=kind.yaml
This creates a cluster with 2 worker nodes, to demonstrate that profiles are distributed to every node.
I've also tested this on a GKE cluster.
Then install the components:
KO_DOCKER_REPO=kind.local ko apply -f config/
(On Apple Silicon this also needs --platform=linux/arm64)
Check that the components are up:
$ kubectl get pods -n seccomp-profile
NAME READY STATUS RESTARTS AGE
controller-pg4fg 1/1 Running 0 11m
controller-ssshb 1/1 Running 0 11m
webhook-65f995489c-chvll 1/1 Running 0 22m
Create some SeccompProfile resources:
$ kubectl apply -f profiles/
seccompprofile.seccomp.imjasonh.dev/audit unchanged
seccompprofile.seccomp.imjasonh.dev/fine-grained unchanged
seccompprofile.seccomp.imjasonh.dev/violation unchanged
Then create a Pod that uses the audit policy:
$ kubectl create -f pods/audit-pod.yaml
pod/audit-pod-wczbg created
$ kubectl get pod audit-pod-wczbg
NAME READY STATUS RESTARTS AGE
audit-pod-wczbg 0/1 Completed 0 9s
...and a Pod that uses the violation policy; this should fail:
$ kubectl create -f pods/violation-pod.yaml
pod/violation-pod-jsmkp created
$ kubectl get pod violation-pod-jsmkp
NAME READY STATUS RESTARTS AGE
violation-pod-jsmkp 0/1 StartError 0 4s
Future Work
Container images could distribute their seccomp profiles in their metadata.
If they did, the webhook component could extract these profiles from incoming images, and create SeccompPolicy resources, and mutate PodSpecs to use those policies.
An image build tool could determine the seccomp profile based on source analysis, or hand-curated overrides, and distribute those profiles with the image.
Directories
¶
| Path | Synopsis |
|---|---|
|
cmd
|
|
|
pkg
|
|
|
apis/clientset/versioned
This package has the automatically generated clientset.
|
This package has the automatically generated clientset. |
|
apis/clientset/versioned/fake
This package has the automatically generated fake clientset.
|
This package has the automatically generated fake clientset. |
|
apis/clientset/versioned/scheme
This package contains the scheme of the automatically generated clientset.
|
This package contains the scheme of the automatically generated clientset. |
|
apis/clientset/versioned/typed/seccomp/v1alpha1
This package has the automatically generated typed clients.
|
This package has the automatically generated typed clients. |
|
apis/clientset/versioned/typed/seccomp/v1alpha1/fake
Package fake has the automatically generated clients.
|
Package fake has the automatically generated clients. |
|
apis/seccomp/v1alpha1
+k8s:deepcopy-gen=package +groupName=seccomp.imjasonh.dev
|
+k8s:deepcopy-gen=package +groupName=seccomp.imjasonh.dev |
|
third_party
|
|
|
VENDOR-LICENSE/github.com/hashicorp/golang-lru
Package lru provides three different LRU caches of varying sophistication.
|
Package lru provides three different LRU caches of varying sophistication. |