Enable the use of AppArmor profiles by adding:
annotations:
container.apparmor.security.beta.kubernetes.io/manager: localhost/flux-controllersEnsure that the profiles are installed on all worker nodes, manually or with SPO: https://github.com/kubernetes-sigs/security-profiles-operator
| #include <tunables/global> | |
| profile flux-controllers flags=(attach_disconnected, mediate_deleted) { | |
| include <abstractions/base> | |
| include <abstractions/ssl_certs> | |
| include <abstractions/gnupg> | |
| include <abstractions/user-tmp> | |
| # Allow udp/tcp, ipv4 and ipv6. | |
| network inet stream, | |
| network inet6 stream, | |
| network tcp, | |
| network udp, | |
| # Controller binaries. | |
| /usr/local/bin/{source,helm,kustomize,image-automation,image-reflector,notification}-controller mrix, | |
| # gpg is needed by kustomize-controller when using GPG decryption. | |
| /usr/bin/gpg{,-agent} mrix, | |
| # Some controllers are started via tini. | |
| /sbin/tini mrix, | |
| # git is needed by kustomize-controller when using remote bases. | |
| /usr/bin/git mrix, | |
| # Data storage locations. | |
| # /data is used as artifact storage and base for File Server. | |
| /data/ rwk, | |
| /data/** rwk, | |
| # Access to Kubernetes service account tokens. | |
| /run/secrets/kubernetes.io/serviceaccount/** r, | |
| /etc/{group,passwd,hosts} r, | |
| /etc/{nsswitch,resolv}.conf r, | |
| /proc/sys/net/core/somaxconn r, | |
| /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r, | |
| # Deny raw and packet level network access. | |
| deny network raw, | |
| deny network packet, | |
| # Allow read access to its own process files. | |
| @{PROC}/@{pid}/ r, | |
| @{PROC}/@{pid}/** r, | |
| # The denied capabilities below will triumph over any capabilities | |
| # given at pod-level or by default from the container runtime. | |
| deny capability net_bind_service, # no need for net_bind_service for ports above 1024. | |
| deny capability audit_control, | |
| deny capability dac_override, | |
| deny capability sys_{chroot,boot,module,admin,ptrace}, | |
| deny capability syslog, | |
| deny capability net_{raw,admin}, | |
| deny capability mac_{admin,override}, | |
| deny capability mknod, | |
| } |