This PoC aims to take a container rootfs and only allows access to files in it if they're signed with a particular public key.
For now it prints hashes of files accessed
sudo ./fanotify-poc ROOTFS_PATH
Fanotify doesn't work across mount namespaces so this only works for files accessed from outside the container.
make build
.sudo ./fanotify-mon --hostname="yourhost" --runtime=docker --kubeconfig="kubeconfig path"
kubectl run --image nginx -l enforce.k8s.io=deny-third-party-execution nginx
touch newfile
ls
rm -rf /usr/bin/touch
cat <<EOF > /usr/bin/touch
#!/bin/bash
echo this is a new touch
EOF
chmod +x /usr/bin/touch
touch file
touch
should be blocked and you should see error: Operation not permitted
. Also the running ./fanotify-mon
will show you what was denied in its logs.sudo journalctl -fu containerd
.