search

kubernetes-sigs / security-profiles-operator

The Kubernetes Security Profiles Operator
Apache License 2.0
716 stars 106 forks source link

Deploy default profiles as first-class objects #267

Closed saschagrunert closed 3 years ago

saschagrunert commented 3 years ago

Right now we deploy the default profiles as separate step after the operator:

$ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/security-profiles-operator/master/deploy/operator.yaml
$ kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/security-profiles-operator/master/deploy/profiles/default-profiles.yaml

We could use a first class-object to define the default profiles in the same way as we do it with the spod:

var (
    archX8664 = v1alpha1.Arch(seccomp.ArchX86_64)
    archX86   = v1alpha1.Arch(seccomp.ArchX86)
    archX32   = v1alpha1.Arch(seccomp.ArchX32)
)

var defaultProfile = v1alpha1.SeccompProfileList{
    Items: []v1alpha1.SeccompProfile{
        {
            ObjectMeta: metav1.ObjectMeta{
                Name: "nginx-1.19.1",
                Labels: map[string]string{
                    "app": config.OperatorName,
                },
            },
            Spec: v1alpha1.SeccompProfileSpec{
                TargetWorkload: "default-profiles",
                DefaultAction:  seccomp.ActErrno,
                Architectures:  []*v1alpha1.Arch{&archX8664, &archX86, &archX32},
                Syscalls: []*v1alpha1.Syscall{
                    {
                        Action: seccomp.ActAllow,
                        Names: []string{
                            "accept4",
                            "…",
                            "writev",
                        },
                    },
                },
            },
        },
    },
}

We would need an additional controller which is able to watch for the daemonset to be running and deploy the profiles in that case.

WDYT?

saschagrunert commented 3 years ago

Ah maybe we can deploy them directly with the SPO daemonset.