kubernetes / enhancements

Enhancements tracking repo for Kubernetes
Apache License 2.0
3.43k stars 1.48k forks source link

AppArmor support #24

Open timstclair opened 8 years ago

timstclair commented 8 years ago

Description

Add AppArmor support to Kubernetes. Initial support should include the ability to specify an AppArmor profile for a container or pod in the API, and have that profile applied by the container runtime.

Progress Tracker

_FEATURESTATUS is used for feature tracking and to be updated by @kubernetes/feature-reviewers. FEATURE_STATUS: BETA

More advice:

Design

Coding

Docs

timstclair commented 8 years ago

Original issue here: https://github.com/kubernetes/kubernetes/issues/22159

janetkuo commented 8 years ago

@timstclair it looks like the docs PR number is outdated. Please update the PR number and check the docs box once it's done

timstclair commented 8 years ago

Fixed. Thanks @janetkuo !

timstclair commented 8 years ago

Docs https://github.com/kubernetes/kubernetes.github.io/pull/1147 - @kubernetes/docs

devin-donnelly commented 8 years ago

Is there an issue? I merged this one in last week.

On Sep 21, 2016 1:30 PM, "Tim St. Clair" notifications@github.com wrote:

Docs kubernetes/kubernetes.github.io#1147 https://github.com/kubernetes/kubernetes.github.io/pull/1147 - @kubernetes/docs https://github.com/orgs/kubernetes/teams/docs

— You are receiving this because you are on a team that was mentioned. Reply to this email directly, view it on GitHub https://github.com/kubernetes/features/issues/24#issuecomment-248733477, or mute the thread https://github.com/notifications/unsubscribe-auth/ARmNwOTArylXQHoAoz2lMTsKhg9luaTYks5qsZPlgaJpZM4JMBOR .

timstclair commented 8 years ago

No, I was just following the instructions at the bottom of the issue, which I hadn't done before...

fejta-bot commented 6 years ago

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close.

Prevent issues from auto-closing with an /lifecycle frozen comment.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or @fejta. /lifecycle stale

fejta-bot commented 6 years ago

Stale issues rot after 30d of inactivity. Mark the issue as fresh with /remove-lifecycle rotten. Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /lifecycle rotten /remove-lifecycle stale

fejta-bot commented 6 years ago

Rotten issues close after 30d of inactivity. Reopen the issue with /reopen. Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /close

liggitt commented 6 years ago

/remove-lifecycle rotten

justaugustus commented 6 years ago

@tallclair @liggitt Any plans for this in 1.11?

If so, can you please ensure the feature is up-to-date with the appropriate:

cc @idvoretskyi

fejta-bot commented 6 years ago

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /lifecycle stale

fejta-bot commented 6 years ago

Stale issues rot after 30d of inactivity. Mark the issue as fresh with /remove-lifecycle rotten. Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /lifecycle rotten

justaugustus commented 6 years ago

@tallclair @kubernetes/sig-node-feature-requests @kubernetes/sig-auth-feature-requests -- are there plans for AppArmor support?

/kind feature /sig auth /unassign @timstclair /assign @tallclair

tallclair commented 6 years ago

No plans right now.

kacole2 commented 6 years ago

Hi This enhancement has been tracked before, so we'd like to check in and see if there are any plans for this to graduate stages in Kubernetes 1.13. This release is targeted to be more ‘stable’ and will have an aggressive timeline. Please only include this enhancement if there is a high level of confidence it will meet the following deadlines:

Please take a moment to update the milestones on your original post for future tracking and ping @kacole2 if it needs to be included in the 1.13 Enhancements Tracking Sheet

Thanks!

fejta-bot commented 5 years ago

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /lifecycle stale

fejta-bot commented 5 years ago

Enhancement issues opened in kubernetes/enhancements should never be marked as frozen. Enhancement Owners can ensure that enhancements stay fresh by consistently updating their states across release cycles.

/remove-lifecycle frozen

fejta-bot commented 5 years ago

Stale issues rot after 30d of inactivity. Mark the issue as fresh with /remove-lifecycle rotten. Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /lifecycle rotten

fejta-bot commented 5 years ago

Rotten issues close after 30d of inactivity. Reopen the issue with /reopen. Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /close

k8s-ci-robot commented 5 years ago

@fejta-bot: Closing this issue.

In response to [this](https://github.com/kubernetes/enhancements/issues/24#issuecomment-473690531): >Rotten issues close after 30d of inactivity. >Reopen the issue with `/reopen`. >Mark the issue as fresh with `/remove-lifecycle rotten`. > >Send feedback to sig-testing, kubernetes/test-infra and/or [fejta](https://github.com/fejta). >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.
tallclair commented 5 years ago

/remove-lifecycle rotten

tallclair commented 5 years ago

It might be useful to mark this feature as rotten, as it's been stuck in beta for too long, but IMO enhancements that have been merged into kubernetes should not be closed unless they are completed (GA) or deprecated & removed.

kacole2 commented 5 years ago

@tallclair anything happening here for 1.16? Any plans for deprecation?

tallclair commented 5 years ago

I have the beginnings of a plan to bring it to GA, but it might be a stretch to get to it in 1.16. I'll try to get a proposal out by enhancements freeze though.

mrbobbytables commented 5 years ago

@tallclair Do you think think theres going to be any activity for this in the 1.17 release?

tallclair commented 5 years ago

I was hoping to get this to GA alongside seccomp in v1.17, but I'm probably only going to have time to do 1 (seccomp). If anyone else is interested in picking this up, I'd be happy to provide some pointers. Otherwise, I expect GA to happen in v1.18

mrbobbytables commented 5 years ago

Noted. Will keep tabs on the thread in case anyone picks it up. Thanks for the update!

fejta-bot commented 4 years ago

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /lifecycle stale

saschagrunert commented 4 years ago

/remove-lifecycle stale

saschagrunert commented 4 years ago

Hey 👋, is there anything we can do to move this one forward. I’d be happy to contribute to finish this one up.

jeremyrickard commented 4 years ago

Hey @tallclair, looks like the seccomp (https://github.com/kubernetes/enhancements/issues/135) issue didn't make 1.17, will you be trying to get this one for 1.18 in parallel to that one? Maybe @saschagrunert can pitch in and help you out with that? It doesn't look like there is a KEP associated with this, although I might have missed it if there is one. To get this into the 1.18 release, we'd need to have a KEP written that included the graduation to GA criteria and the test plan.

tallclair commented 4 years ago

Thanks for the offer @saschagrunert I'd welcome your help on this! The first thing to do is to write a KEP. If you're interested, take a look at the Seccomp to GA KEP. Most of that should translate directly to AppArmor, with a couple small differences:

  1. The AppArmor annotation is immutable - this actually makes it a lot simpler, as we can ignore changes on pod update.
  2. The behavior of localhost profiles makes a bit more sense in the case of AppArmor, so we can probably ignore some of the concerns about wanting to deprecate that.

I'd be happy to answer questions and help review the KEP, but I won't have time to work on it directly this release cycle.

saschagrunert commented 4 years ago

Thanks for the offer @saschagrunert I'd welcome your help on this! The first thing to do is to write a KEP. If you're interested, take a look at the [Seccomp to GA KEP]

Alright, I took the seccomp KEP and converted it to AppArmor with taking the differences into consideration (#1444) and addressing some of the latest review notes. I took my freedom to add you as co-author if you don't mind.

jeremyrickard commented 4 years ago

Hey @saschagrunert ( and @tallclair), assuming the KEP gets approved prior to enhancements freeze, do you think that this is something you'll accomplish during the 1.18 timeframe? Code Freeze for 1.18 will be March 5th. If you think it is, I'll go ahead and mark it as tracked for the release and get it into the milestone.

Let me know!

Thanks so much for picking this up @saschagrunert

saschagrunert commented 4 years ago

Hey @saschagrunert ( and @tallclair), assuming the KEP gets approved prior to enhancements freeze, do you think that this is something you'll accomplish during the 1.18 timeframe? Code Freeze for 1.18 will be March 5th. If you think it is, I'll go ahead and mark it as tracked for the release and get it into the milestone.

Let me know!

Thanks so much for picking this up @saschagrunert

Hey @jeremyrickard, let's wait for the review of the KEP. :) From my point of view I would have time for the implementation, but I'm not sure if we can get the KEP review done until enhancement freeze (Jan 28).

jeremyrickard commented 4 years ago

Hey @saschagrunert, it looks like there hasn't been much traffic on the KEP. I wanted to check back in since we're about a week away from enhancement freeze. I'm guessing there won't be a big push before then, but please let us know!

saschagrunert commented 4 years ago

Hey, let’s skip this KEP for 1.18. :) we can easily target it for 1.19

jeremyrickard commented 4 years ago

Awesome, thanks for the update @saschagrunert.

tallclair commented 4 years ago

Thanks @saschagrunert . I want to get the open questions on the Seccomp KEP sorted out before reviewing the AppArmor one, otherwise we may just end up duplicating work.

fejta-bot commented 4 years ago

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /lifecycle stale

jeremyrickard commented 4 years ago

/remove-lifecycle stale

msedzins commented 4 years ago

Hey there @tallclair -- 1.19 Enhancements shadow here. I wanted to check in and see if you think this Enhancement will be graduating in 1.19?

In order to have this part of the release:

  1. The KEP PR must be merged in an implementable state
  2. The KEP must have test plans
  3. The KEP must have graduation criteria.

The current release schedule is:

If you do, I'll add it to the 1.19 tracking sheet (http://bit.ly/k8s-1-19-enhancements). Once coding begins please list all relevant k/k PRs in this issue so they can be tracked properly. 👍

Thanks!

msedzins commented 4 years ago

Hi there @tallclair ,

Kind reminder about my question above.

Regards, Mirek

tallclair commented 4 years ago

/assign @saschagrunert

Are you planning to get AppArmor to GA this releases cycle?

saschagrunert commented 4 years ago

This KEP will not be part of 1.19 because we don’t have enough resources in SIG architecture to provide the API reviews.

msedzins commented 4 years ago

Thank you @saschagrunert for letting me know.

fejta-bot commented 4 years ago

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /lifecycle stale

saschagrunert commented 4 years ago

/remove-lifecycle stale

saschagrunert commented 4 years ago

Will target to work on this in v1.20.0.