The ApparmorProfile CRD should be cluster-wide scope, and not namespaced. I would argue that also SeccompProfile should be the same.
The Profile CRDs are currently namespaced and there are a number of issues with this:
apparmor profile during the installation, it gets loaded into the Linux kernel of each ndoe, and it is cluster-wide available, any pod can reference it into the security context.
There isn't any mechanism in the security context to allow name-spacing the secruity profiles.
It is possible currently to overwrite a profile from one namesapce with another profile created in a different namesapce if both profiles have the same name. This can be used to preform cross namespaces attacks. For instance a less permissive profile gets overwritten by a profile with more privileges from a different namespace even though the profile creator doesn't have permissions to do so in the original namesspace.
Why is this needed:
This will enhance the security and make it more transparent to RBAC policies that actually this profiles are cluster-wide.
ccojocar
commented
10 hours ago
What would you like to be added:
The ApparmorProfile CRD should be cluster-wide scope, and not namespaced. I would argue that also SeccompProfile should be the same.
The Profile CRDs are currently namespaced and there are a number of issues with this:
Why is this needed:
This will enhance the security and make it more transparent to RBAC policies that actually this profiles are cluster-wide.