Security News
ESLint is Now Language-Agnostic: Linting JSON, Markdown, and Beyond
ESLint has added JSON and Markdown linting support with new officially-supported plugins, expanding its versatility beyond JavaScript.
sigs.k8s.io/security-profiles-operator
This project is the starting point for the Security Profiles Operator (SPO), an out-of-tree Kubernetes enhancement which aims to make it easier for users to use SELinux, seccomp and AppArmor in Kubernetes clusters.
The motivation behind the project can be found in the corresponding RFC.
Related Kubernetes Enhancement Proposals (KEPs) which have direct influence on this project:
Next to those KEPs, here are existing approaches for security profiles in the Kubernetes world:
The SPO's features are implemented for each one of the underlying supported technologies, namely: Seccomp, SELinux and AppArmor. Here's the feature parity status across them:
Seccomp | SELinux | AppArmor | |
---|---|---|---|
Profile CRD | Yes | Yes | Yes |
ProfileBinding | Yes | No | No |
Deploy profiles into nodes | Yes | Yes | Yes |
Remove profiles no longer in use | Yes | Yes | Yes |
Profile Auto-generation (logs) | Yes | WIP | No |
Profile Auto-generation (ebpf) | Yes | No | No |
Audit log enrichment | Yes | WIP | Yes |
For information about the security model and what permissions each features requires, refer to SPO's security model.
As any other piece of software, this operator is meant to help people. Thus, the target personas have been reflected in a document in this repo.
The functionality that this operator is meant to enable is captured as user stories. If you feel that a user story is not captured properly, feel free to submit a Pull Request. The team will be more than happy to review and help you reflect the requirement.
The project tries to not overlap with those existing implementations to provide valuable additions in a more secure Kubernetes context. We created a mind map to get a better feeling about all features we want to implement to better support some security areas within Kubernetes:
Going forwards, the operator will extend its purpose to assist Kubernetes users to create, distribute and apply security profiles for seccomp, AppArmor, SeLinux, PodSecurityPolicies and RBAC permissions.
If you're interested in contributing to SPO, please see the developer focused document
We schedule a monthly meeting every last Thursday of a month.
Learn how to engage with the Kubernetes community on the community page.
You can reach the maintainers of this project at:
Participation in the Kubernetes community is governed by the Kubernetes Code of Conduct.
FAQs
Unknown package
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
ESLint has added JSON and Markdown linting support with new officially-supported plugins, expanding its versatility beyond JavaScript.
Security News
Members Hub is conducting large-scale campaigns to artificially boost Discord server metrics, undermining community trust and platform integrity.
Security News
NIST has failed to meet its self-imposed deadline of clearing the NVD's backlog by the end of the fiscal year. Meanwhile, CVE's awaiting analysis have increased by 33% since June.