rootxrishabh/Kubearmor_kata.yaml

## Kubearmor_kata.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: kubearmor
  namespace: kubearmor
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kubearmor-clusterrole
rules:
- apiGroups:
  - ""
  resources:
  - pods
  - nodes
  - namespaces
  - configmaps
  verbs:
  - get
  - patch
  - list
  - watch
  - update
- apiGroups:
  - apps
  resources:
  - deployments
  - replicasets
  - daemonsets
  - statefulsets
  verbs:
  - get
  - patch
  - list
  - watch
  - update
- apiGroups:
  - security.kubearmor.com
  resources:
  - kubearmorpolicies
  - kubearmorhostpolicies
  verbs:
  - get
  - list
  - watch
  - update
  - delete
- nonResourceURLs:
  - /apis
  - /apis/*
  verbs:
  - get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: kubearmor-clusterrolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kubearmor-clusterrole
subjects:
- kind: ServiceAccount
  name: kubearmor
  namespace: kubearmor
---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: nginx
  name: kubearmor
  namespace: kubearmor
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      runtimeClassName: kata-qemu
      containers:
      - name: kubearmor
        image: rootxrishabh/workingkubearmor
        imagePullPolicy: Always
        args:
          - -untrackedNs=""
          - -useOCIHooks=true
        env:
          - name: KUBEARMOR_NODENAME
            value: rootxrishabh
        ports:
        - containerPort: 32767
        securityContext:
          capabilities:
            add:
            - SETUID
            - SETGID
            - SETPCAP
            - SYS_ADMIN
            - SYS_PTRACE
            - MAC_ADMIN
            - SYS_RESOURCE
            - IPC_LOCK
            - CAP_DAC_OVERRIDE
            - CAP_DAC_READ_SEARCH
          privileged: true
          runAsUser: 0
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        volumeMounts:
        - mountPath: /opt/kubearmor/BPF
          name: bpf
        - mountPath: /lib/modules
          name: lib-modules-path
          readOnly: true
        - mountPath: /sys/fs/bpf
          name: sys-fs-bpf-path
        - mountPath: /var/run/kubearmor/
          name: hook-socket-dir
        - mountPath: /sys/kernel/debug
          name: sys-kernel-debug-path
      - name: kubearmor1
        image: ubuntu:latest
      initContainers:
        - image: kubearmor/kubearmor-init #rootxrishabh/rishabhkubearmorinit
          imagePullPolicy: Always
          name: init
          securityContext:
            capabilities:
              add:
              - SETUID
              - SETGID
              - SETPCAP
              - SYS_ADMIN
              - SYS_PTRACE
              - MAC_ADMIN
              - SYS_RESOURCE
              - IPC_LOCK
              - CAP_DAC_OVERRIDE
              - CAP_DAC_READ_SEARCH
              drop:
              - ALL
            privileged: true
          volumeMounts:
          - mountPath: /opt/kubearmor/BPF
            name: bpf
          - mountPath: /lib/modules
            name: lib-modules-path
            readOnly: true
          - mountPath: /sys/fs/bpf
            name: sys-fs-bpf-path
          - mountPath: /usr/src
            name: usr-src-path
            readOnly: true
      dnsPolicy: ClusterFirst
      hostPID: true
      nodeSelector:
        kubernetes.io/os: linux
      restartPolicy: Always
      serviceAccountName: kubearmor
      terminationGracePeriodSeconds: 60
      tolerations:
      - operator: Exists
      volumes:
      - emptyDir: {}
        name: bpf
      - hostPath:
          path: /lib/modules
          type: DirectoryOrCreate
        name: lib-modules-path
      - hostPath:
          path: /sys/fs/bpf
          type: Directory
        name: sys-fs-bpf-path
      - hostPath:
          path: /sys/kernel/security
          type: Directory
        name: sys-kernel-security-path
      - hostPath:
          path: /sys/kernel/debug
          type: Directory
        name: sys-kernel-debug-path
      - hostPath:
          path: /etc/os-release
          type: File
        name: os-release-path
      - hostPath:
          path: /usr/src
          type: Directory
        name: usr-src-path
      - hostPath:
          path: /etc/apparmor.d
          type: DirectoryOrCreate
        name: etc-apparmor-d-path
      - hostPath:
          path: /run/k3s/containerd/containerd.sock
          type: Socket
        name: containerd-sock-path
      - hostPath:
          path: /var/run/kubearmor/
          type: DirectoryOrCreate
        name: hook-socket-dir
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kubearmor-clusterrole
rules:
- apiGroups:
  - ""
  resources:
  - pods
  - nodes
  - namespaces
  - configmaps
  verbs:
  - get
  - patch
  - list
  - watch
  - update
- apiGroups:
  - apps
  resources:
  - deployments
  - replicasets
  - daemonsets
  - statefulsets
  verbs:
  - get
  - patch
  - list
  - watch
  - update
- apiGroups:
  - security.kubearmor.com
  resources:
  - kubearmorpolicies
  - kubearmorhostpolicies
  verbs:
  - get
  - list
  - watch
  - update
  - delete
- nonResourceURLs:
  - /apis
  - /apis/*
  verbs:
  - get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: kubearmor-clusterrolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kubearmor-clusterrole
subjects:
- kind: ServiceAccount
  name: kubearmor
  namespace: kubearmor
	apiVersion: v1
	kind: ServiceAccount
	metadata:
	name: kubearmor
	namespace: kubearmor
	---
	apiVersion: rbac.authorization.k8s.io/v1
	kind: ClusterRole
	metadata:
	name: kubearmor-clusterrole
	rules:
	- apiGroups:
	- ""
	resources:
	- pods
	- nodes
	- namespaces
	- configmaps
	verbs:
	- get
	- patch
	- list
	- watch
	- update
	- apiGroups:
	- apps
	resources:
	- deployments
	- replicasets
	- daemonsets
	- statefulsets
	verbs:
	- get
	- patch
	- list
	- watch
	- update
	- apiGroups:
	- security.kubearmor.com
	resources:
	- kubearmorpolicies
	- kubearmorhostpolicies
	verbs:
	- get
	- list
	- watch
	- update
	- delete
	- nonResourceURLs:
	- /apis
	- /apis/*
	verbs:
	- get
	---
	apiVersion: rbac.authorization.k8s.io/v1
	kind: ClusterRoleBinding
	metadata:
	name: kubearmor-clusterrolebinding
	roleRef:
	apiGroup: rbac.authorization.k8s.io
	kind: ClusterRole
	name: kubearmor-clusterrole
	subjects:
	- kind: ServiceAccount
	name: kubearmor
	namespace: kubearmor
	---
	apiVersion: apps/v1
	kind: Deployment
	metadata:
	labels:
	app: nginx
	name: kubearmor
	namespace: kubearmor
	spec:
	replicas: 1
	selector:
	matchLabels:
	app: nginx
	template:
	metadata:
	labels:
	app: nginx
	spec:
	runtimeClassName: kata-qemu
	containers:
	- name: kubearmor
	image: rootxrishabh/workingkubearmor
	imagePullPolicy: Always
	args:
	- -untrackedNs=""
	- -useOCIHooks=true
	env:
	- name: KUBEARMOR_NODENAME
	value: rootxrishabh
	ports:
	- containerPort: 32767
	securityContext:
	capabilities:
	add:
	- SETUID
	- SETGID
	- SETPCAP
	- SYS_ADMIN
	- SYS_PTRACE
	- MAC_ADMIN
	- SYS_RESOURCE
	- IPC_LOCK
	- CAP_DAC_OVERRIDE
	- CAP_DAC_READ_SEARCH
	privileged: true
	runAsUser: 0
	terminationMessagePath: /dev/termination-log
	terminationMessagePolicy: File
	volumeMounts:
	- mountPath: /opt/kubearmor/BPF
	name: bpf
	- mountPath: /lib/modules
	name: lib-modules-path
	readOnly: true
	- mountPath: /sys/fs/bpf
	name: sys-fs-bpf-path
	- mountPath: /var/run/kubearmor/
	name: hook-socket-dir
	- mountPath: /sys/kernel/debug
	name: sys-kernel-debug-path
	- name: kubearmor1
	image: ubuntu:latest
	initContainers:
	- image: kubearmor/kubearmor-init #rootxrishabh/rishabhkubearmorinit
	imagePullPolicy: Always
	name: init
	securityContext:
	capabilities:
	add:
	- SETUID
	- SETGID
	- SETPCAP
	- SYS_ADMIN
	- SYS_PTRACE
	- MAC_ADMIN
	- SYS_RESOURCE
	- IPC_LOCK
	- CAP_DAC_OVERRIDE
	- CAP_DAC_READ_SEARCH
	drop:
	- ALL
	privileged: true
	volumeMounts:
	- mountPath: /opt/kubearmor/BPF
	name: bpf
	- mountPath: /lib/modules
	name: lib-modules-path
	readOnly: true
	- mountPath: /sys/fs/bpf
	name: sys-fs-bpf-path
	- mountPath: /usr/src
	name: usr-src-path
	readOnly: true
	dnsPolicy: ClusterFirst
	hostPID: true
	nodeSelector:
	kubernetes.io/os: linux
	restartPolicy: Always
	serviceAccountName: kubearmor
	terminationGracePeriodSeconds: 60
	tolerations:
	- operator: Exists
	volumes:
	- emptyDir: {}
	name: bpf
	- hostPath:
	path: /lib/modules
	type: DirectoryOrCreate
	name: lib-modules-path
	- hostPath:
	path: /sys/fs/bpf
	type: Directory
	name: sys-fs-bpf-path
	- hostPath:
	path: /sys/kernel/security
	type: Directory
	name: sys-kernel-security-path
	- hostPath:
	path: /sys/kernel/debug
	type: Directory
	name: sys-kernel-debug-path
	- hostPath:
	path: /etc/os-release
	type: File
	name: os-release-path
	- hostPath:
	path: /usr/src
	type: Directory
	name: usr-src-path
	- hostPath:
	path: /etc/apparmor.d
	type: DirectoryOrCreate
	name: etc-apparmor-d-path
	- hostPath:
	path: /run/k3s/containerd/containerd.sock
	type: Socket
	name: containerd-sock-path
	- hostPath:
	path: /var/run/kubearmor/
	type: DirectoryOrCreate
	name: hook-socket-dir
	---
	apiVersion: rbac.authorization.k8s.io/v1
	kind: ClusterRole
	metadata:
	name: kubearmor-clusterrole
	rules:
	- apiGroups:
	- ""
	resources:
	- pods
	- nodes
	- namespaces
	- configmaps
	verbs:
	- get
	- patch
	- list
	- watch
	- update
	- apiGroups:
	- apps
	resources:
	- deployments
	- replicasets
	- daemonsets
	- statefulsets
	verbs:
	- get
	- patch
	- list
	- watch
	- update
	- apiGroups:
	- security.kubearmor.com
	resources:
	- kubearmorpolicies
	- kubearmorhostpolicies
	verbs:
	- get
	- list
	- watch
	- update
	- delete
	- nonResourceURLs:
	- /apis
	- /apis/*
	verbs:
	- get
	---
	apiVersion: rbac.authorization.k8s.io/v1
	kind: ClusterRoleBinding
	metadata:
	name: kubearmor-clusterrolebinding
	roleRef:
	apiGroup: rbac.authorization.k8s.io
	kind: ClusterRole
	name: kubearmor-clusterrole
	subjects:
	- kind: ServiceAccount
	name: kubearmor
	namespace: kubearmor