Last active
November 18, 2022 23:23
-
-
Save timstclair/0de544dcf53176fc7621fac296ced10e to your computer and use it in GitHub Desktop.
AppArmor loader 1-click
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: v1 | |
| kind: ConfigMap | |
| metadata: | |
| name: apparmor-profiles | |
| data: | |
| docker-default-audit: |- | |
| #include <tunables/global> | |
| profile docker-default-audit flags=(attach_disconnected,mediate_deleted) { | |
| #include <abstractions/base> | |
| network, | |
| capability, | |
| file, | |
| umount, | |
| deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir) | |
| # deny write to files not in /proc/<number>/** or /proc/sys/** | |
| deny @{PROC}/{[^1-9],[^1-9][^0-9],[^1-9s][^0-9y][^0-9s],[^1-9][^0-9][^0-9][^0-9]*}/** w, | |
| deny @{PROC}/sys/[^k]** w, # deny /proc/sys except /proc/sys/k* (effectively /proc/sys/kernel) | |
| deny @{PROC}/sys/kernel/{?,??,[^s][^h][^m]**} w, # deny everything except shm* in /proc/sys/kernel/ | |
| deny @{PROC}/sysrq-trigger rwklx, | |
| deny @{PROC}/mem rwklx, | |
| deny @{PROC}/kmem rwklx, | |
| deny @{PROC}/kcore rwklx, | |
| deny mount, | |
| deny /sys/[^f]*/** wklx, | |
| deny /sys/f[^s]*/** wklx, | |
| deny /sys/fs/[^c]*/** wklx, | |
| deny /sys/fs/c[^g]*/** wklx, | |
| deny /sys/fs/cg[^r]*/** wklx, | |
| deny /sys/firmware/efi/efivars/** rwklx, | |
| deny /sys/kernel/security/** rwklx, | |
| # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container | |
| ptrace (trace,read) peer=docker-default, | |
| # END docker-default | |
| # Audit all writes! | |
| audit /** w, | |
| } | |
| --- | |
| apiVersion: extensions/v1beta1 | |
| kind: DaemonSet | |
| metadata: | |
| name: apparmor-loader | |
| spec: | |
| template: | |
| metadata: | |
| name: apparmor-loader | |
| labels: | |
| daemon: apparmor-loader | |
| spec: | |
| containers: | |
| - name: apparmor-loader | |
| image: google/apparmor-loader:latest | |
| args: | |
| # Tell the loader to pull the /profiles directory every 30 seconds. | |
| - -poll | |
| - 30s | |
| - /profiles | |
| securityContext: | |
| # The loader requires root permissions to actually load the profiles. | |
| privileged: true | |
| volumeMounts: | |
| - name: sys | |
| mountPath: /sys | |
| readOnly: true | |
| - name: apparmor-includes | |
| mountPath: /etc/apparmor.d | |
| readOnly: true | |
| - name: profiles | |
| mountPath: /profiles | |
| readOnly: true | |
| volumes: | |
| # The /sys directory must be mounted to interact with the AppArmor module. | |
| - name: sys | |
| hostPath: | |
| path: /sys | |
| # The /etc/apparmor.d directory is required for most apparmor include templates. | |
| - name: apparmor-includes | |
| hostPath: | |
| path: /etc/apparmor.d | |
| # Map in the profile data. | |
| - name: profiles | |
| configMap: | |
| name: apparmor-profiles |
It's here: https://github.com/kubernetes/kubernetes/blob/v1.25.4/test/images/apparmor-loader/loader.go
But I recommend looking at the Kubernetes Security Profiles Operator as a more well-supported alternative: https://github.com/kubernetes-sigs/security-profiles-operator
Thanks!
I'm already watching that project but it is still not production ready for
managing profiles on worker nodes.
While they work on the next release I'd like to try a custom solution based
on a daemon pulling on a configmap in order to be able to update the
profiles pushing a new PR from an Azure DevOps git project.
kubernetes-sigs/security-profiles-operator#1210
Il giorno ven 18 nov 2022 alle ore 17:57 Tim Allclair <
***@***.***> ha scritto:
… ***@***.**** commented on this gist.
------------------------------
It's here:
https://github.com/kubernetes/kubernetes/blob/v1.25.4/test/images/apparmor-loader/loader.go
But I recommend looking at the Kubernetes Security Profiles Operator
<https://github.com/kubernetes-sigs/security-profiles-operator> as a more
well-supported alternative:
https://github.com/kubernetes-sigs/security-profiles-operator
—
Reply to this email directly, view it on GitHub
<https://gist.github.com/0de544dcf53176fc7621fac296ced10e#gistcomment-4374128>
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AB72DNIHO2UT6RP57BBV7GTWI6YPRBFKMF2HI4TJMJ2XIZLTSKBKK5TBNR2WLJDHNFZXJJDOMFWWLK3UNBZGKYLEL52HS4DFQKSXMYLMOVS2I5DSOVS2I3TBNVS3W5DIOJSWCZC7OBQXE5DJMNUXAYLOORPWCY3UNF3GS5DZVRZXKYTKMVRXIX3UPFYGLK2HNFZXIQ3PNVWWK3TUUZ2G64DJMNZZDAVEOR4XAZNEM5UXG5FFOZQWY5LFVA2DMNBXGYZDCMNHORZGSZ3HMVZKMY3SMVQXIZI>
.
You are receiving this email because you commented on a thread.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>
.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi, where is published the google-containers/apparmor-loader go code?