search

SAP-archive / karydia

Kubernetes Security Walnut
Other
76 stars 10 forks source link

Support custom seccomp profiles #212

Closed Neumann-Nils closed 5 years ago

Neumann-Nils commented 5 years ago

Description

This pull request introduces support for custom Seccomp profiles. A user can create/provide his Seccomp profile and karydia will distribute and maintain it on all nodes in the cluster. Moreover, karydia will enforce the Seccomp profile on all created pods/containers.

Note: This implementation includes one workaround that keeps the pods of the daemonset alive such that they will not restart over and over again (a daemonset does not yet support restartPolicy: Never). This is described in issue #163.

Checklist

Before submitting this PR, please make sure:

Neumann-Nils commented 5 years ago

You can use the following Seccomp profile to test it (try chmod +x /bin):

placeholder_seccomp.json:

{
 "defaultAction": "SCMP_ACT_ALLOW",
 "architectures": [
   "SCMP_ARCH_X86_64",
   "SCMP_ARCH_X86",
   "SCMP_ARCH_X32"
 ],
 "syscalls": [
   {
     "names": [
       "chmod"
     ],
     "action": "SCMP_ACT_ERRNO",
     "args": [],
     "comment": "",
     "includes": {},
     "excludes": {}
   }
 ]
}

Just copy this file into install/charts/custom-seccomp-profiles/ and change seccompProfile: "localhost/placeholder_seccomp.json“ in the "values.yaml". Thus, this profile will be applied to all created pods and containers.