Skip to content

Commit

Permalink
Create AppArmor profile for operator
Browse files Browse the repository at this point in the history
  • Loading branch information
@pjbgf
pjbgf committed Dec 14, 2020
1 parent 5e143a9 commit 63b6663
Show file tree
Hide file tree
Showing 5 changed files with 194 additions and 6 deletions.
1 change: 1 addition & 0 deletions deploy/base/kustomization.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ configMapGenerator:
- name: security-profiles-operator-profile
files:
- profiles/security-profiles-operator.json
- profiles/security-profiles-operator.apparmor

generatorOptions:
disableNameSuffixHash: true
11 changes: 9 additions & 2 deletions deploy/base/operator.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,11 +14,13 @@ spec:
openshift.io/scc: privileged
seccomp.security.alpha.kubernetes.io/pod: runtime/default
container.seccomp.security.alpha.kubernetes.io/security-profiles-operator: localhost/security-profiles-operator.json
container.apparmor.security.beta.kubernetes.io/security-profiles-operator: localhost/k8s-security-profiles-operator
labels:
name: security-profiles-operator
spec:
serviceAccountName: security-profiles-operator
initContainers:
# TODO: review security mode for non-root-enabler
- name: non-root-enabler
image: bash
# Creates folder /var/lib/security-profiles-operator, sets 2000:2000 as its
Expand All @@ -41,7 +43,12 @@ spec:
fi
/bin/chown -R 2000:2000 $OPERATOR_ROOT
cp -f -v /opt/seccomp-profiles/* $KUBELET_SECCOMP_ROOT
cp -f -v /opt/operator-profiles/* $KUBELET_SECCOMP_ROOT
# TODO: decide on a good way to run apparmor_parser
command -v apparmor_parser >/dev/null 2>&1 && \
apparmor_parser -r /opt/operator-profiles/security-profiles-operator.apparmor || \
echo "failed to execute apparmor_parser, profile won't be loaded onto node"
env:
- name: KUBELET_SECCOMP_ROOT
value: /var/lib/kubelet/seccomp
Expand All @@ -53,7 +60,7 @@ spec:
- name: host-varlib-volume
mountPath: /var/lib
- name: profile-configmap-volume
mountPath: /opt/seccomp-profiles
mountPath: /opt/operator-profiles
readOnly: true
securityContext:
allowPrivilegeEscalation: false
Expand Down
56 changes: 56 additions & 0 deletions deploy/base/profiles/security-profiles-operator.apparmor
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
#include <tunables/global>

profile k8s-security-profiles-operator /security-profiles-operator flags=(complain) {
#include <abstractions/base>

deny capability net_raw,

network inet stream,
network inet6 stream,

deny network inet udp,
deny network inet icmp,
deny network raw,
deny network netlink raw,
deny network packet,

file,

/security-profiles-operator ix,

/proc/sys/net/core/somaxconn r,
/sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,

# Read service account token
/var/run/secrets/kubernetes.io/serviceaccount/** r,

# Read and write profiles
/var/lib/kubelet/seccomp/** rw,
/var/lib/security-profiles-operator/** rw,

# TODO:
# deny sensitive files within kubelet folder

deny /bin/** wl,
deny /boot/** wl,
deny /dev/** wl,
deny /etc/** wl,
deny /home/** wl,
deny /lib/** wl,
deny /lib64/** wl,
deny /media/** wl,
deny /mnt/** wl,
deny /opt/** wl,
deny /proc/** wl,
deny /root/** wl,
deny /sbin/** wl,
deny /srv/** wl,
deny /tmp/** wl,
deny /sys/** wl,
deny /usr/** wl,

deny /bin/bash mrwklx,
deny /bin/sh mrwklx,

deny mount,
}
66 changes: 64 additions & 2 deletions deploy/namespace-operator.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -501,7 +501,12 @@ spec:
fi
/bin/chown -R 2000:2000 $OPERATOR_ROOT
cp -f -v /opt/seccomp-profiles/* $KUBELET_SECCOMP_ROOT
cp -f -v /opt/operator-profiles/* $KUBELET_SECCOMP_ROOT
# TODO: decide on a good way to run apparmor_parser
command -v apparmor_parser >/dev/null 2>&1 && \
apparmor_parser -r /opt/operator-profiles/security-profiles-operator.apparmor || \
echo "failed to execute apparmor_parser, profile won't be loaded onto node"
command:
- bash
- -c
Expand Down Expand Up @@ -540,7 +545,7 @@ spec:
volumeMounts:
- mountPath: /var/lib
name: host-varlib-volume
- mountPath: /opt/seccomp-profiles
- mountPath: /opt/operator-profiles
name: profile-configmap-volume
readOnly: true
nodeSelector:
Expand All @@ -567,6 +572,63 @@ spec:
---
apiVersion: v1
data:
security-profiles-operator.apparmor: |
#include <tunables/global>
profile k8s-security-profiles-operator /security-profiles-operator flags=(complain) {
#include <abstractions/base>
deny capability net_raw,
network inet stream,
network inet6 stream,
deny network inet udp,
deny network inet icmp,
deny network raw,
deny network netlink raw,
deny network packet,
file,
/security-profiles-operator ix,
/proc/sys/net/core/somaxconn r,
/sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
# Read service account token
/var/run/secrets/kubernetes.io/serviceaccount/** r,
# Read and write profiles
/var/lib/kubelet/seccomp/** rw,
/var/lib/security-profiles-operator/** rw,
# TODO:
# deny sensitive files within kubelet folder
deny /bin/** wl,
deny /boot/** wl,
deny /dev/** wl,
deny /etc/** wl,
deny /home/** wl,
deny /lib/** wl,
deny /lib64/** wl,
deny /media/** wl,
deny /mnt/** wl,
deny /opt/** wl,
deny /proc/** wl,
deny /root/** wl,
deny /sbin/** wl,
deny /srv/** wl,
deny /tmp/** wl,
deny /sys/** wl,
deny /usr/** wl,
deny /bin/bash mrwklx,
deny /bin/sh mrwklx,
deny mount,
}
security-profiles-operator.json: |
{
"defaultAction": "SCMP_ACT_ERRNO",
Expand Down
66 changes: 64 additions & 2 deletions deploy/operator.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -499,7 +499,12 @@ spec:
fi
/bin/chown -R 2000:2000 $OPERATOR_ROOT
cp -f -v /opt/seccomp-profiles/* $KUBELET_SECCOMP_ROOT
cp -f -v /opt/operator-profiles/* $KUBELET_SECCOMP_ROOT
# TODO: decide on a good way to run apparmor_parser
command -v apparmor_parser >/dev/null 2>&1 && \
apparmor_parser -r /opt/operator-profiles/security-profiles-operator.apparmor || \
echo "failed to execute apparmor_parser, profile won't be loaded onto node"
command:
- bash
- -c
Expand Down Expand Up @@ -538,7 +543,7 @@ spec:
volumeMounts:
- mountPath: /var/lib
name: host-varlib-volume
- mountPath: /opt/seccomp-profiles
- mountPath: /opt/operator-profiles
name: profile-configmap-volume
readOnly: true
nodeSelector:
Expand All @@ -565,6 +570,63 @@ spec:
---
apiVersion: v1
data:
security-profiles-operator.apparmor: |
#include <tunables/global>
profile k8s-security-profiles-operator /security-profiles-operator flags=(complain) {
#include <abstractions/base>
deny capability net_raw,
network inet stream,
network inet6 stream,
deny network inet udp,
deny network inet icmp,
deny network raw,
deny network netlink raw,
deny network packet,
file,
/security-profiles-operator ix,
/proc/sys/net/core/somaxconn r,
/sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
# Read service account token
/var/run/secrets/kubernetes.io/serviceaccount/** r,
# Read and write profiles
/var/lib/kubelet/seccomp/** rw,
/var/lib/security-profiles-operator/** rw,
# TODO:
# deny sensitive files within kubelet folder
deny /bin/** wl,
deny /boot/** wl,
deny /dev/** wl,
deny /etc/** wl,
deny /home/** wl,
deny /lib/** wl,
deny /lib64/** wl,
deny /media/** wl,
deny /mnt/** wl,
deny /opt/** wl,
deny /proc/** wl,
deny /root/** wl,
deny /sbin/** wl,
deny /srv/** wl,
deny /tmp/** wl,
deny /sys/** wl,
deny /usr/** wl,
deny /bin/bash mrwklx,
deny /bin/sh mrwklx,
deny mount,
}
security-profiles-operator.json: |
{
"defaultAction": "SCMP_ACT_ERRNO",
Expand Down

0 comments on commit 63b6663

Please sign in to comment.