Created
July 2, 2024 10:16
-
-
Save rootxrishabh/0a9142004d538fe2724459664814816d to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: v1 | |
kind: ServiceAccount | |
metadata: | |
name: kubearmor | |
namespace: kubearmor | |
--- | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRole | |
metadata: | |
name: kubearmor-clusterrole | |
rules: | |
- apiGroups: | |
- "" | |
resources: | |
- pods | |
- nodes | |
- namespaces | |
- configmaps | |
verbs: | |
- get | |
- patch | |
- list | |
- watch | |
- update | |
- apiGroups: | |
- apps | |
resources: | |
- deployments | |
- replicasets | |
- daemonsets | |
- statefulsets | |
verbs: | |
- get | |
- patch | |
- list | |
- watch | |
- update | |
- apiGroups: | |
- security.kubearmor.com | |
resources: | |
- kubearmorpolicies | |
- kubearmorhostpolicies | |
verbs: | |
- get | |
- list | |
- watch | |
- update | |
- delete | |
- nonResourceURLs: | |
- /apis | |
- /apis/* | |
verbs: | |
- get | |
--- | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRoleBinding | |
metadata: | |
name: kubearmor-clusterrolebinding | |
roleRef: | |
apiGroup: rbac.authorization.k8s.io | |
kind: ClusterRole | |
name: kubearmor-clusterrole | |
subjects: | |
- kind: ServiceAccount | |
name: kubearmor | |
namespace: kubearmor | |
--- | |
apiVersion: apps/v1 | |
kind: Deployment | |
metadata: | |
labels: | |
app: nginx | |
name: kubearmor | |
namespace: kubearmor | |
spec: | |
replicas: 1 | |
selector: | |
matchLabels: | |
app: nginx | |
template: | |
metadata: | |
labels: | |
app: nginx | |
spec: | |
runtimeClassName: kata-qemu | |
containers: | |
- name: kubearmor | |
image: rootxrishabh/workingkubearmor | |
imagePullPolicy: Always | |
args: | |
- -untrackedNs="" | |
- -useOCIHooks=true | |
env: | |
- name: KUBEARMOR_NODENAME | |
value: rootxrishabh | |
ports: | |
- containerPort: 32767 | |
securityContext: | |
capabilities: | |
add: | |
- SETUID | |
- SETGID | |
- SETPCAP | |
- SYS_ADMIN | |
- SYS_PTRACE | |
- MAC_ADMIN | |
- SYS_RESOURCE | |
- IPC_LOCK | |
- CAP_DAC_OVERRIDE | |
- CAP_DAC_READ_SEARCH | |
privileged: true | |
runAsUser: 0 | |
terminationMessagePath: /dev/termination-log | |
terminationMessagePolicy: File | |
volumeMounts: | |
- mountPath: /opt/kubearmor/BPF | |
name: bpf | |
- mountPath: /lib/modules | |
name: lib-modules-path | |
readOnly: true | |
- mountPath: /sys/fs/bpf | |
name: sys-fs-bpf-path | |
- mountPath: /var/run/kubearmor/ | |
name: hook-socket-dir | |
- mountPath: /sys/kernel/debug | |
name: sys-kernel-debug-path | |
- name: kubearmor1 | |
image: ubuntu:latest | |
initContainers: | |
- image: kubearmor/kubearmor-init #rootxrishabh/rishabhkubearmorinit | |
imagePullPolicy: Always | |
name: init | |
securityContext: | |
capabilities: | |
add: | |
- SETUID | |
- SETGID | |
- SETPCAP | |
- SYS_ADMIN | |
- SYS_PTRACE | |
- MAC_ADMIN | |
- SYS_RESOURCE | |
- IPC_LOCK | |
- CAP_DAC_OVERRIDE | |
- CAP_DAC_READ_SEARCH | |
drop: | |
- ALL | |
privileged: true | |
volumeMounts: | |
- mountPath: /opt/kubearmor/BPF | |
name: bpf | |
- mountPath: /lib/modules | |
name: lib-modules-path | |
readOnly: true | |
- mountPath: /sys/fs/bpf | |
name: sys-fs-bpf-path | |
- mountPath: /usr/src | |
name: usr-src-path | |
readOnly: true | |
dnsPolicy: ClusterFirst | |
hostPID: true | |
nodeSelector: | |
kubernetes.io/os: linux | |
restartPolicy: Always | |
serviceAccountName: kubearmor | |
terminationGracePeriodSeconds: 60 | |
tolerations: | |
- operator: Exists | |
volumes: | |
- emptyDir: {} | |
name: bpf | |
- hostPath: | |
path: /lib/modules | |
type: DirectoryOrCreate | |
name: lib-modules-path | |
- hostPath: | |
path: /sys/fs/bpf | |
type: Directory | |
name: sys-fs-bpf-path | |
- hostPath: | |
path: /sys/kernel/security | |
type: Directory | |
name: sys-kernel-security-path | |
- hostPath: | |
path: /sys/kernel/debug | |
type: Directory | |
name: sys-kernel-debug-path | |
- hostPath: | |
path: /etc/os-release | |
type: File | |
name: os-release-path | |
- hostPath: | |
path: /usr/src | |
type: Directory | |
name: usr-src-path | |
- hostPath: | |
path: /etc/apparmor.d | |
type: DirectoryOrCreate | |
name: etc-apparmor-d-path | |
- hostPath: | |
path: /run/k3s/containerd/containerd.sock | |
type: Socket | |
name: containerd-sock-path | |
- hostPath: | |
path: /var/run/kubearmor/ | |
type: DirectoryOrCreate | |
name: hook-socket-dir | |
--- | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRole | |
metadata: | |
name: kubearmor-clusterrole | |
rules: | |
- apiGroups: | |
- "" | |
resources: | |
- pods | |
- nodes | |
- namespaces | |
- configmaps | |
verbs: | |
- get | |
- patch | |
- list | |
- watch | |
- update | |
- apiGroups: | |
- apps | |
resources: | |
- deployments | |
- replicasets | |
- daemonsets | |
- statefulsets | |
verbs: | |
- get | |
- patch | |
- list | |
- watch | |
- update | |
- apiGroups: | |
- security.kubearmor.com | |
resources: | |
- kubearmorpolicies | |
- kubearmorhostpolicies | |
verbs: | |
- get | |
- list | |
- watch | |
- update | |
- delete | |
- nonResourceURLs: | |
- /apis | |
- /apis/* | |
verbs: | |
- get | |
--- | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRoleBinding | |
metadata: | |
name: kubearmor-clusterrolebinding | |
roleRef: | |
apiGroup: rbac.authorization.k8s.io | |
kind: ClusterRole | |
name: kubearmor-clusterrole | |
subjects: | |
- kind: ServiceAccount | |
name: kubearmor | |
namespace: kubearmor |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment