sigs.k8s.io/security-profiles-operator

Kubernetes Security Profiles Operator

The Security Profiles Operator (SPO) is an out-of-tree Kubernetes enhancement which aims to make it easier to create and use SELinux, seccomp and AppArmor security profiles in Kubernetes clusters.

• Installation and Usage
• Container Images
• Release Process
• Testgrid Dashboard

Features

This is the parity of features across various security profiles supported by the SPO:

	Seccomp	SELinux	AppArmor
Profile CRD	Yes	Yes	Yes
Install profiles in cluster	Yes	Yes	Yes
Remove unused profiles from cluster	Yes	Yes	Yes
Profile Recording (audit logs)	Yes	Yes	No
Profile Recording (eBPF)	Yes	No	Yes
Profile Binding to container images	Yes	No	No
Audit log enrichment	Yes	Yes	Yes

For information about the security model and what permissions each feature requires, refer to SPO's security model.

Resources

The motivation behind the project can be found in the corresponding RFC.

• Architecture
• Use Stories
• Personas

Related Kubernetes Enhancement Proposals (KEPs) which have direct influence on this project:

• Promote seccomp to GA
• Add ConfigMap support for seccomp custom profiles
• Add KEP to create seccomp built-in profiles and add complain mode

Next to those KEPs, here are existing approaches for security profiles in the Kubernetes world:

• AppArmor Loader
• OpenShift's Machine config operator, in charge of file management and security profiles on hosts
• seccomp-config

Community, discussions, contributions, and support

If you're interested in contributing to SPO, please see the developer focused document.

We schedule a monthly meeting every last Thursday of a month.

• Meeting Notes

Learn how to engage with the Kubernetes community on the community page.

You can reach the maintainers of this project at:

• Slack #security-profiles-operator
• Mailing List

Code of conduct

Participation in the Kubernetes community is governed by the Kubernetes Code of Conduct.