Support Podman for unorchestrated environments

[rootxrishabh]

Kubearmor connects to the container-runtime to get the mount-namespace and other details (for eg, container image details etc). These details are used subsequently in the telemetry/log enrichment. For e.g -

• Check if the process event is in the context of the container/namespace.
• To check what is the container image ID for the event that is generated

The aim is to create Podman support for kubearmor for unorchestrated environments as podman does not implement the CRI.

Initial Scope:

• [ ] Design points
• [ ] Leverage OCI hooks for container information
• [ ] Validate policy enforcement with Podman
• [ ] Validate alerts/telemetry with Podman

Future Items:

Support for podman with socket mode as well

References:

• https://www.redhat.com/en/blog/open-container-initiative-hooks-admission-control-podman
• https://github.com/containers/podman/tree/main/pkg/bindings
• https://www.redhat.com/en/topics/containers/what-is-podman
• https://github.com/containers/podman/blob/main/docs/tutorials/rootless_tutorial.md

[vinayakjaas]

Hey @rootxrishabh , I am interested in the issue of creating Podman support for KubeArmor in unorchestrated environments. I plan to review the reading materials you provided and other resources available online related to Podman. I will come up with a proper plan and design for this project.

[VeerChaurasia]

Hey @rootxrishabh,Exicted to work on this issue of creating Podman support for KubeArmor for unorchestrated environments.Currently going through the references you have shared.

[kairveeehh]

hii @rootxrishabh I would like to work for this project as it aligns with my skills and interests under the LFX mentorship programme

[abhashsolanki18]

@rootxrishabh this would be an exciting project for me as i've worked closely with podman during my global certification training with RedHat for RHCSA and RHCE, i'll go through the resources and prepare a plan for the project.

[bdharsan04]

hey @rootxrishabh are there any prerequisites for working on this particular project?

[daemon1024]

Hey Folks, Thanks for the interest in the mentorship. We have certain prerequisites which we expect to be included in your application. Please include details or reference to a document for the said prerequisite in your Cover Letter / Mail to the mentors / DM Mentors in CNCF Slack by 20 August 11:59PM IST

Following are the details.

Support Podman and OCI Hooks support for unorchestrated environments - https://mentorship.lfx.linuxfoundation.org/project/c693a6b1-d034-4140-8aba-dfe02fbef48a

Prerequisite:

Share an OCI Hook to add AppArmor Profile to container created by user. Generally AppArmorProfile can set for a container using

sudo podman run --name=test --security-opt=apparmor=test-profile -it busybox

Where test-profile is an already loaded apparmor profile.

Imagine you start a container using

sudo podman run --name=test-non-apparmor -it busybox

Due to the presence of your OCI Hook, the said podman container should be loaded with a AppArmor Profile

References to understand containers and apparmor profile

• https://docs.podman.io/en/latest/markdown/podman-build.1.html#security-opt-option
• https://docs.docker.com/engine/security/apparmor/