Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Add native AppArmor policy support in KubeArmorPolicy #150

Merged
merged 1 commit into from
Jun 14, 2021
Merged

Add native AppArmor policy support in KubeArmorPolicy #150

merged 1 commit into from
Jun 14, 2021

Conversation

oneiro-naut
Copy link
Contributor

This commit makes it possible for us to embed native apparmor rules in the YAML policy. It
adds a new field in the spec called apparmor of type string.

Fixes: #54

nam-jaehyun
nam-jaehyun reviewed Jun 13, 2021
View reviewed changes
pkg/KubeArmorPolicy/api/v1/kubearmorpolicy_types.go Outdated
@@ -296,6 +296,7 @@ type KubeArmorPolicySpec struct {
// INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
// Important: Run "make" to regenerate code after modifying this file

Apparmor string `json:"apparmor,omitempty"`
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add Apparmor after Resource.

nam-jaehyun
nam-jaehyun reviewed Jun 13, 2021
View reviewed changes
KubeArmor/types/types.go Outdated
@@ -384,6 +384,7 @@ type SecuritySpec struct {
Tags []string `json:"tags,omitempty"`
Message string `json:"message,omitempty"`

Apparmor string `json:"apparmor,omitempty"`
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add Apparmor after Resource.

@nam-jaehyun
Copy link
Collaborator

nam-jaehyun commented Jun 13, 2021
edited
Loading

Need testing outcomes including:

  • a test YAML file with a native AppArmor profile
  • the screenshots for the overall process
    • the YAML application,
    • the naive AppArmor enforcement,
    • and some results related to the AppArmor profile.
  • any consideration like
    • what happens when a general policy and a policy with a naive profile are deployed together for the same labels?

@oneiro-naut
Copy link
Contributor Author

Hi @nam-jaehyun. I have changed my commit as per your suggestions. For the tests I have tested these on few YAML files I created locally but I did not add them in this commit. I will let you know as soon as I finish with the testing outcomes with screenshots and overall steps.

@nam-jaehyun
Copy link
Collaborator

@oneiro-naut Good! Please let me know when you're done.

@oneiro-naut
Copy link
Contributor Author

Hi @nam-jaehyun . I have shared with you a document containing screenshots and some observations via email.

@oneiro-naut
Add native AppArmor policy support in KubeArmorPolicy
38fc028 
This commit makes it possible for us to embed native apparmor rules in the YAML policy.
It adds a new field in the spec called apparmor of type string.

Fixes: kubearmor#54

Signed-off-by: Ayush Dwivedi <ayush.dwivedi@accuknox.com>
@oneiro-naut
Copy link
Contributor Author

Hi @nam-jaehyun . I have made the changes with adding empty newlines.

@nam-jaehyun nam-jaehyun merged commit cc3b39c into kubearmor:master Jun 14, 2021
@nam-jaehyun
Copy link
Collaborator

If you're available, it would be good for you to pick #86.

@oneiro-naut oneiro-naut deleted the native-apparmor branch June 14, 2021 07:43
@oneiro-naut
Copy link
Contributor Author

@nam-jaehyun I think @daemon1024 is already looking into this issue.

@nam-jaehyun
Copy link
Collaborator

@oneiro-naut It looks like..
Then, please create a new issue for the policy match with a native AppArmor profile and work on the issue.

@oneiro-naut
Copy link
Contributor Author

Hi @nam-jaehyun . I have added the issue can you please review if the statement is stated correctly? Also please assign me to the same.

# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@nam-jaehyun nam-jaehyun nam-jaehyun left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Apply native apparmor (or any LSM) policy using KubeArmor
2 participants
@oneiro-naut @nam-jaehyun