pjbgf/README.md

## README.md

      
    Raw
  

              README.md
            
          
    Enable the use of AppArmor profiles by adding:
annotations:
   container.apparmor.security.beta.kubernetes.io/manager: localhost/flux-controllers
Ensure that the profiles are installed on all worker nodes, manually or with SPO:
https://github.com/kubernetes-sigs/security-profiles-operator

  
## flux-controllers.aa
#include <tunables/global>

profile flux-controllers flags=(attach_disconnected, mediate_deleted) {
  include <abstractions/base>
  include <abstractions/ssl_certs>
  include <abstractions/gnupg>
  include <abstractions/user-tmp>

  # Allow udp/tcp, ipv4 and ipv6.
  network inet stream,
  network inet6 stream,
  network tcp,
  network udp,

  # Controller binaries.
  /usr/local/bin/{source,helm,kustomize,image-automation,image-reflector,notification}-controller mrix,

  # gpg is needed by kustomize-controller when using GPG decryption.
  /usr/bin/gpg{,-agent} mrix,

  # Some controllers are started via tini.
  /sbin/tini mrix,

  # git is needed by kustomize-controller when using remote bases.
  /usr/bin/git mrix,

  # Data storage locations.
  # /data is used as artifact storage and base for File Server.
  /data/ rwk,
  /data/** rwk,

  # Access to Kubernetes service account tokens.
  /run/secrets/kubernetes.io/serviceaccount/** r,

  /etc/{group,passwd,hosts} r,
  /etc/{nsswitch,resolv}.conf r,

  /proc/sys/net/core/somaxconn r,
  /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,

  # Deny raw and packet level network access.
  deny network raw,
  deny network packet,

  # Allow read access to its own process files.
  @{PROC}/@{pid}/ r,
  @{PROC}/@{pid}/** r,

  # The denied capabilities below will triumph over any capabilities
  # given at pod-level or by default from the container runtime.
  deny capability net_bind_service, # no need for net_bind_service for ports above 1024.
  deny capability audit_control,
  deny capability dac_override,
  deny capability sys_{chroot,boot,module,admin,ptrace},
  deny capability syslog,
  deny capability net_{raw,admin},
  deny capability mac_{admin,override},
  deny capability mknod,
}
	#include <tunables/global>

	profile flux-controllers flags=(attach_disconnected, mediate_deleted) {
	include <abstractions/base>
	include <abstractions/ssl_certs>
	include <abstractions/gnupg>
	include <abstractions/user-tmp>

	# Allow udp/tcp, ipv4 and ipv6.
	network inet stream,
	network inet6 stream,
	network tcp,
	network udp,

	# Controller binaries.
	/usr/local/bin/{source,helm,kustomize,image-automation,image-reflector,notification}-controller mrix,

	# gpg is needed by kustomize-controller when using GPG decryption.
	/usr/bin/gpg{,-agent} mrix,

	# Some controllers are started via tini.
	/sbin/tini mrix,

	# git is needed by kustomize-controller when using remote bases.
	/usr/bin/git mrix,

	# Data storage locations.
	# /data is used as artifact storage and base for File Server.
	/data/ rwk,
	/data/** rwk,

	# Access to Kubernetes service account tokens.
	/run/secrets/kubernetes.io/serviceaccount/** r,

	/etc/{group,passwd,hosts} r,
	/etc/{nsswitch,resolv}.conf r,

	/proc/sys/net/core/somaxconn r,
	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,

	# Deny raw and packet level network access.
	deny network raw,
	deny network packet,

	# Allow read access to its own process files.
	@{PROC}/@{pid}/ r,
	@{PROC}/@{pid}/** r,

	# The denied capabilities below will triumph over any capabilities
	# given at pod-level or by default from the container runtime.
	deny capability net_bind_service, # no need for net_bind_service for ports above 1024.
	deny capability audit_control,
	deny capability dac_override,
	deny capability sys_{chroot,boot,module,admin,ptrace},
	deny capability syslog,
	deny capability net_{raw,admin},
	deny capability mac_{admin,override},
	deny capability mknod,
	}