README
¶
Kubernetes Security Profiles Operator
The Security Profiles Operator (SPO) is an out-of-tree Kubernetes enhancement which aims to make it easier to create and use SELinux, seccomp and AppArmor security profiles in Kubernetes clusters.
Features
This is the parity of features across various security profiles supported by the SPO:
| Seccomp | SELinux | AppArmor | |
|---|---|---|---|
| Profile CRD | Yes | Yes | Yes |
| Install profiles in cluster | Yes | Yes | Yes |
| Remove unused profiles from cluster | Yes | Yes | Yes |
| Profile Recording (audit logs) | Yes | Yes | No |
| Profile Recording (eBPF) | Yes | No | Yes |
| Profile Binding to container images | Yes | No | No |
| Audit log enrichment | Yes | Yes | Yes |
For information about the security model and what permissions each feature requires, refer to SPO's security model.
Resources
The motivation behind the project can be found in the corresponding RFC.
Related Kubernetes Enhancement Proposals (KEPs) which have direct influence on this project:
- Promote seccomp to GA
- Add ConfigMap support for seccomp custom profiles
- Add KEP to create seccomp built-in profiles and add complain mode
Next to those KEPs, here are existing approaches for security profiles in the Kubernetes world:
- AppArmor Loader
- OpenShift's Machine config operator, in charge of file management and security profiles on hosts
- seccomp-config
Community, discussions, contributions, and support
If you're interested in contributing to SPO, please see the developer focused document.
We schedule a monthly meeting every last Thursday of a month.
Learn how to engage with the Kubernetes community on the community page.
You can reach the maintainers of this project at:
Code of conduct
Participation in the Kubernetes community is governed by the Kubernetes Code of Conduct.
Directories
¶
| Path | Synopsis |
|---|---|
|
api
|
|
|
apparmorprofile/v1alpha1
Package v1alpha1 contains API Schema definitions for the security-profiles-operator v1alpha1 API group +kubebuilder:object:generate=true +groupName=security-profiles-operator.x-k8s.io
|
Package v1alpha1 contains API Schema definitions for the security-profiles-operator v1alpha1 API group +kubebuilder:object:generate=true +groupName=security-profiles-operator.x-k8s.io |
|
profilebinding/v1alpha1
Package v1alpha1 contains API Schema definitions for the security-profiles-operator v1alpha1 API group +kubebuilder:object:generate=true +groupName=security-profiles-operator.x-k8s.io
|
Package v1alpha1 contains API Schema definitions for the security-profiles-operator v1alpha1 API group +kubebuilder:object:generate=true +groupName=security-profiles-operator.x-k8s.io |
|
profilerecording/v1alpha1
Package v1alpha1 contains API Schema definitions for the security-profiles-operator v1alpha1 API group +kubebuilder:object:generate=true +groupName=security-profiles-operator.x-k8s.io
|
Package v1alpha1 contains API Schema definitions for the security-profiles-operator v1alpha1 API group +kubebuilder:object:generate=true +groupName=security-profiles-operator.x-k8s.io |
|
seccompprofile/v1beta1
Package v1beta1 contains API Schema definitions for the security-profiles-operator v1beta1 API group +kubebuilder:object:generate=true +groupName=security-profiles-operator.x-k8s.io
|
Package v1beta1 contains API Schema definitions for the security-profiles-operator v1beta1 API group +kubebuilder:object:generate=true +groupName=security-profiles-operator.x-k8s.io |
|
secprofnodestatus/v1alpha1
Package v1alpha1 contains API Schema definitions for the security-profiles-operator v1alpha1 API group +kubebuilder:object:generate=true +groupName=security-profiles-operator.x-k8s.io
|
Package v1alpha1 contains API Schema definitions for the security-profiles-operator v1alpha1 API group +kubebuilder:object:generate=true +groupName=security-profiles-operator.x-k8s.io |
|
selinuxprofile/v1alpha2
Package v1alpha2 contains API Schema definitions for the security-profiles-operator v1alpha2 API group +kubebuilder:object:generate=true +groupName=security-profiles-operator.x-k8s.io
|
Package v1alpha2 contains API Schema definitions for the security-profiles-operator v1alpha2 API group +kubebuilder:object:generate=true +groupName=security-profiles-operator.x-k8s.io |
|
spod/v1alpha1
Package v1alpha1 contains API Schema definitions for the security-profiles-operator v1alpha1 API group +kubebuilder:object:generate=true +groupName=security-profiles-operator.x-k8s.io
|
Package v1alpha1 contains API Schema definitions for the security-profiles-operator v1alpha1 API group +kubebuilder:object:generate=true +groupName=security-profiles-operator.x-k8s.io |
|
internal
|
|
|
pkg/artifact/artifactfakes
Code generated by counterfeiter.
|
Code generated by counterfeiter. |
|
pkg/cli/command/commandfakes
Code generated by counterfeiter.
|
Code generated by counterfeiter. |
|
pkg/cli/converter/converterfakes
Code generated by counterfeiter.
|
Code generated by counterfeiter. |
|
pkg/cli/installer/installerfakes
Code generated by counterfeiter.
|
Code generated by counterfeiter. |
|
pkg/cli/merger/mergerfakes
Code generated by counterfeiter.
|
Code generated by counterfeiter. |
|
pkg/cli/puller/pullerfakes
Code generated by counterfeiter.
|
Code generated by counterfeiter. |
|
pkg/cli/pusher/pusherfakes
Code generated by counterfeiter.
|
Code generated by counterfeiter. |
|
pkg/cli/recorder/recorderfakes
Code generated by counterfeiter.
|
Code generated by counterfeiter. |
|
pkg/cli/remover/removerfakes
Code generated by counterfeiter.
|
Code generated by counterfeiter. |
|
pkg/cli/runner/runnerfakes
Code generated by counterfeiter.
|
Code generated by counterfeiter. |
|
pkg/daemon/bpfrecorder/bpfrecorderfakes
Code generated by counterfeiter.
|
Code generated by counterfeiter. |
|
pkg/daemon/enricher/enricherfakes
Code generated by counterfeiter.
|
Code generated by counterfeiter. |
|
pkg/daemon/metrics/metricsfakes
Code generated by counterfeiter.
|
Code generated by counterfeiter. |
|
pkg/daemon/profilerecorder/profilerecorderfakes
Code generated by counterfeiter.
|
Code generated by counterfeiter. |
|
pkg/daemon/seccompprofile/seccompprofilefakes
Code generated by counterfeiter.
|
Code generated by counterfeiter. |
|
pkg/nonrootenabler/nonrootenablerfakes
Code generated by counterfeiter.
|
Code generated by counterfeiter. |
|
pkg/webhooks/binding/bindingfakes
Code generated by counterfeiter.
|
Code generated by counterfeiter. |
|
pkg/webhooks/recording/recordingfakes
Code generated by counterfeiter.
|
Code generated by counterfeiter. |
|
test
|
|
Click to show internal directories.
Click to hide internal directories.