Dynamic Seccomp Profiles based on Cluster-level rules to Enforce syscalls

kubernetes-sigs / security-profiles-operator

The Kubernetes Security Profiles Operator

Apache License 2.0

715 stars 107 forks source link

Dynamic Seccomp Profiles based on Cluster-level rules to Enforce syscalls #142

Closed pjbgf closed 3 years ago

pjbgf commented 4 years ago

What would you like to be added:

Custom seccomp profiles could be dynamically modified to always allow specific system calls. The always allowed system calls would be low risk/impact and built into the operator.

Why is this needed:

Some essential system calls (e.g. exit, exit_group) can be left out of seccomp profiles leading to containers being caught up on endless exit loops, as reported here. This is a non-deterministic behaviour, meaning that the same profile and container combination may have the issue in one kernel/platform, and not have it in another.

saschagrunert commented 4 years ago

Sounds good! How would an API look like?

fejta-bot commented 3 years ago

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /lifecycle stale

saschagrunert commented 3 years ago

/remove-lifecycle stale

fejta-bot commented 3 years ago

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale

fejta-bot commented 3 years ago

Stale issues rot after 30d of inactivity. Mark the issue as fresh with /remove-lifecycle rotten. Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten

fejta-bot commented 3 years ago

Rotten issues close after 30d of inactivity. Reopen the issue with /reopen. Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-contributor-experience at kubernetes/community. /close

k8s-ci-robot commented 3 years ago

@fejta-bot: Closing this issue.

In response to [this](https://github.com/kubernetes-sigs/security-profiles-operator/issues/142#issuecomment-858482238): >Rotten issues close after 30d of inactivity. >Reopen the issue with `/reopen`. >Mark the issue as fresh with `/remove-lifecycle rotten`. > >Send feedback to sig-contributor-experience at [kubernetes/community](https://github.com/kubernetes/community). >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.