Open surajssd opened 2 years ago
Let's consider the Rego language, used by OPA https://www.openpolicyagent.org/docs/latest/policy-language/ https://pkg.go.dev/github.com/open-policy-agent/opa/rego
Looks like our seccompagent is working with it as well https://github.com/kinvolk/seccompagent/pull/12 (additional info https://github.com/kubearmor/KubeArmor/blob/main/getting-started/security_policy_specification.md)
Right now instead of going into implementing full-fledged CRDs, rely on a configmap for the policy information. The app will read the policy from a configmap with name
fanotify-policy
infanotify-mon
namespace with keypolicy
. This policy will be parsed by the application to decide what pods should be selected for policy enforcement.Here is the document to flesh out the policy language.