Skip to content

Instantly share code, notes, and snippets.

@pjbgf
Last active November 15, 2022 22:46
Show Gist options
  • Save pjbgf/3823706c68a7a29fad2f5d925ee57429 to your computer and use it in GitHub Desktop.
Save pjbgf/3823706c68a7a29fad2f5d925ee57429 to your computer and use it in GitHub Desktop.
Flux - AppArmor Profiles
#include <tunables/global>
profile flux-controllers flags=(attach_disconnected, mediate_deleted) {
include <abstractions/base>
include <abstractions/ssl_certs>
include <abstractions/gnupg>
include <abstractions/user-tmp>
# Allow udp/tcp, ipv4 and ipv6.
network inet stream,
network inet6 stream,
network tcp,
network udp,
# Controller binaries.
/usr/local/bin/{source,helm,kustomize,image-automation,image-reflector,notification}-controller mrix,
# gpg is needed by kustomize-controller when using GPG decryption.
/usr/bin/gpg{,-agent} mrix,
# Some controllers are started via tini.
/sbin/tini mrix,
# git is needed by kustomize-controller when using remote bases.
/usr/bin/git mrix,
# Data storage locations.
# /data is used as artifact storage and base for File Server.
/data/ rwk,
/data/** rwk,
# Access to Kubernetes service account tokens.
/run/secrets/kubernetes.io/serviceaccount/** r,
/etc/{group,passwd,hosts} r,
/etc/{nsswitch,resolv}.conf r,
/proc/sys/net/core/somaxconn r,
/sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
# Deny raw and packet level network access.
deny network raw,
deny network packet,
# Allow read access to its own process files.
@{PROC}/@{pid}/ r,
@{PROC}/@{pid}/** r,
# The denied capabilities below will triumph over any capabilities
# given at pod-level or by default from the container runtime.
deny capability net_bind_service, # no need for net_bind_service for ports above 1024.
deny capability audit_control,
deny capability dac_override,
deny capability sys_{chroot,boot,module,admin,ptrace},
deny capability syslog,
deny capability net_{raw,admin},
deny capability mac_{admin,override},
deny capability mknod,
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment