Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add a flag in ApparmorProfile CRD to switch to switch the profile into complain mode #2598

Merged
merged 7 commits into from
Dec 4, 2024
Merged

Add a flag in ApparmorProfile CRD to switch to switch the profile into complain mode #2598

Show file tree
Hide file tree
Changes from 6 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
2fa4efa
Add a ComplainMode flag into the apparmor profile
ccojocar Dec 4, 2024
400f4c4
Document the apparmor profile type API
ccojocar Dec 4, 2024
54ca1e6
Extend the apparmor profile template with profile mode flag and adapt…
ccojocar Dec 4, 2024
e8d2105
Add e2e test for apparmor complain mode
ccojocar Dec 4, 2024
94ca3cd
Fix the apparmor e2e test for complain mode
ccojocar Dec 4, 2024
285f6e2
Update the documenation with more details for complain mode
ccojocar Dec 4, 2024
ceed571
Udpate docs TOC
ccojocar Dec 4, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
39 changes: 33 additions & 6 deletions api/apparmorprofile/v1alpha1/apparmorprofile_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,44 +31,71 @@ var (
_ profilebasev1alpha1.SecurityProfileBase = &AppArmorProfile{}
)

// AppArmorExecutablesRules stores the rules for allowed executable.
type AppArmorExecutablesRules struct {
// AllowedExecutables list of allowed executables.
AllowedExecutables *[]string `json:"allowedExecutables,omitempty"`
AllowedLibraries *[]string `json:"allowedLibraries,omitempty"`
// AllowedLibraries list of allowed libraries.
AllowedLibraries *[]string `json:"allowedLibraries,omitempty"`
}

// AppArmorFsRules stores the rules for file system access.
type AppArmorFsRules struct {
ReadOnlyPaths *[]string `json:"readOnlyPaths,omitempty"`
// ReadOnlyPaths list of allowed read only file paths.
ReadOnlyPaths *[]string `json:"readOnlyPaths,omitempty"`
// WriteOnlyPaths list of allowed write only file paths.
WriteOnlyPaths *[]string `json:"writeOnlyPaths,omitempty"`
// ReadWritePaths list of allowed read write file paths.
ReadWritePaths *[]string `json:"readWritePaths,omitempty"`
}

// AppArmorAllowedProtocols stores the rules for allowed networking protocols.
type AppArmorAllowedProtocols struct {
// AllowTCP allows TCP socket connections.
AllowTCP *bool `json:"allowTcp,omitempty"`
// AllowUDP allows UDP sockets connections.
AllowUDP *bool `json:"allowUdp,omitempty"`
}

// AppArmorNetworkRules stores the rules for network access.
type AppArmorNetworkRules struct {
AllowRaw *bool `json:"allowRaw,omitempty"`
// AllowRaw allows raw sockets.
AllowRaw *bool `json:"allowRaw,omitempty"`
// Protocols keeps the allowed networking protocols.
Protocols *AppArmorAllowedProtocols `json:"allowedProtocols,omitempty"`
}

// AllowedCapabilities stores the rules of allowed Linux capabilities.
type AppArmorCapabilityRules struct {
// AllowedCapabilities lost of allowed capabilities.
AllowedCapabilities []string `json:"allowedCapabilities,omitempty"`
}

// AppArmorAbstract AppArmor profile which stores various allowed list for
// executable, file, network, capabilities access.
type AppArmorAbstract struct {
// Executable rules for allowed executables.
Executable *AppArmorExecutablesRules `json:"executable,omitempty"`
Filesystem *AppArmorFsRules `json:"filesystem,omitempty"`
Network *AppArmorNetworkRules `json:"network,omitempty"`
Capability *AppArmorCapabilityRules `json:"capability,omitempty"`
// Filesystem rules for filesystem access.
Filesystem *AppArmorFsRules `json:"filesystem,omitempty"`
// Network rules for network access.
Network *AppArmorNetworkRules `json:"network,omitempty"`
// Capability rules for Linux capabilities.
Capability *AppArmorCapabilityRules `json:"capability,omitempty"`
}

// AppArmorProfileSpec defines the desired state of AppArmorProfile.
type AppArmorProfileSpec struct {
// Common spec fields for all profiles.
profilebasev1alpha1.SpecBase `json:",inline"`

// Abstract stores the apparmor profile allow lists for executable, file, network and capabilities access.
Abstract AppArmorAbstract `json:"abstract,omitempty"`

// ComplainMode places the apparmor profile into "complain" mode, by default is placed in "enforce" mode.
// In complain mode, if a given action is not allowed, it will be allowed, but this violation will be
// logged with a tag of access being "ALLOWED unconfined".
ComplainMode bool `json:"complainMode,omitempty"`
}

// AppArmorProfileStatus defines the observed state of AppArmorProfile.
Expand Down
2 changes: 1 addition & 1 deletion bundle/manifests/security-profiles-operator.clusterserviceversion.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -248,7 +248,7 @@ metadata:
capabilities: Basic Install
categories: Security
containerImage: registry.k8s.io/security-profiles-operator/security-profiles-operator:v0.8.4
createdAt: "2024-12-03T12:04:53Z"
createdAt: "2024-12-04T09:25:56Z"
olm.skipRange: '>=0.4.1 <0.8.5-dev'
operatorframework.io/cluster-monitoring: "true"
operatorframework.io/suggested-namespace: security-profiles-operator
Expand Down
25 changes: 25 additions & 0 deletions bundle/manifests/security-profiles-operator.x-k8s.io_apparmorprofiles.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,53 +49,78 @@ spec:
description: AppArmorProfileSpec defines the desired state of AppArmorProfile.
properties:
abstract:
description: Abstract stores the apparmor profile allow lists for
executable, file, network and capabilities access.
properties:
capability:
description: Capability rules for Linux capabilities.
properties:
allowedCapabilities:
description: AllowedCapabilities lost of allowed capabilities.
items:
type: string
type: array
type: object
executable:
description: Executable rules for allowed executables.
properties:
allowedExecutables:
description: AllowedExecutables list of allowed executables.
items:
type: string
type: array
allowedLibraries:
description: AllowedLibraries list of allowed libraries.
items:
type: string
type: array
type: object
filesystem:
description: Filesystem rules for filesystem access.
properties:
readOnlyPaths:
description: ReadOnlyPaths list of allowed read only file
paths.
items:
type: string
type: array
readWritePaths:
description: ReadWritePaths list of allowed read write file
paths.
items:
type: string
type: array
writeOnlyPaths:
description: WriteOnlyPaths list of allowed write only file
paths.
items:
type: string
type: array
type: object
network:
description: Network rules for network access.
properties:
allowRaw:
description: AllowRaw allows raw sockets.
type: boolean
allowedProtocols:
description: Protocols keeps the allowed networking protocols.
properties:
allowTcp:
description: AllowTCP allows TCP socket connections.
type: boolean
allowUdp:
description: AllowUDP allows UDP sockets connections.
type: boolean
type: object
type: object
type: object
complainMode:
description: |-
ComplainMode places the apparmor profile into "complain" mode, by default is placed in "enforce" mode.
In complain mode, if a given action is not allowed, it will be allowed, but this violation will be
logged with a tag of access being "ALLOWED unconfined".
type: boolean
disabled:
default: false
description: Whether the profile is disabled and should be skipped
Expand Down
25 changes: 25 additions & 0 deletions deploy/base-crds/crds/apparmorprofile.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,53 +46,78 @@ spec:
description: AppArmorProfileSpec defines the desired state of AppArmorProfile.
properties:
abstract:
description: Abstract stores the apparmor profile allow lists for
executable, file, network and capabilities access.
properties:
capability:
description: Capability rules for Linux capabilities.
properties:
allowedCapabilities:
description: AllowedCapabilities lost of allowed capabilities.
items:
type: string
type: array
type: object
executable:
description: Executable rules for allowed executables.
properties:
allowedExecutables:
description: AllowedExecutables list of allowed executables.
items:
type: string
type: array
allowedLibraries:
description: AllowedLibraries list of allowed libraries.
items:
type: string
type: array
type: object
filesystem:
description: Filesystem rules for filesystem access.
properties:
readOnlyPaths:
description: ReadOnlyPaths list of allowed read only file
paths.
items:
type: string
type: array
readWritePaths:
description: ReadWritePaths list of allowed read write file
paths.
items:
type: string
type: array
writeOnlyPaths:
description: WriteOnlyPaths list of allowed write only file
paths.
items:
type: string
type: array
type: object
network:
description: Network rules for network access.
properties:
allowRaw:
description: AllowRaw allows raw sockets.
type: boolean
allowedProtocols:
description: Protocols keeps the allowed networking protocols.
properties:
allowTcp:
description: AllowTCP allows TCP socket connections.
type: boolean
allowUdp:
description: AllowUDP allows UDP sockets connections.
type: boolean
type: object
type: object
type: object
complainMode:
description: |-
ComplainMode places the apparmor profile into "complain" mode, by default is placed in "enforce" mode.
In complain mode, if a given action is not allowed, it will be allowed, but this violation will be
logged with a tag of access being "ALLOWED unconfined".
type: boolean
disabled:
default: false
description: Whether the profile is disabled and should be skipped
Expand Down
25 changes: 25 additions & 0 deletions deploy/helm/crds/crds.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2236,53 +2236,78 @@ spec:
description: AppArmorProfileSpec defines the desired state of AppArmorProfile.
properties:
abstract:
description: Abstract stores the apparmor profile allow lists for
executable, file, network and capabilities access.
properties:
capability:
description: Capability rules for Linux capabilities.
properties:
allowedCapabilities:
description: AllowedCapabilities lost of allowed capabilities.
items:
type: string
type: array
type: object
executable:
description: Executable rules for allowed executables.
properties:
allowedExecutables:
description: AllowedExecutables list of allowed executables.
items:
type: string
type: array
allowedLibraries:
description: AllowedLibraries list of allowed libraries.
items:
type: string
type: array
type: object
filesystem:
description: Filesystem rules for filesystem access.
properties:
readOnlyPaths:
description: ReadOnlyPaths list of allowed read only file
paths.
items:
type: string
type: array
readWritePaths:
description: ReadWritePaths list of allowed read write file
paths.
items:
type: string
type: array
writeOnlyPaths:
description: WriteOnlyPaths list of allowed write only file
paths.
items:
type: string
type: array
type: object
network:
description: Network rules for network access.
properties:
allowRaw:
description: AllowRaw allows raw sockets.
type: boolean
allowedProtocols:
description: Protocols keeps the allowed networking protocols.
properties:
allowTcp:
description: AllowTCP allows TCP socket connections.
type: boolean
allowUdp:
description: AllowUDP allows UDP sockets connections.
type: boolean
type: object
type: object
type: object
complainMode:
description: |-
ComplainMode places the apparmor profile into "complain" mode, by default is placed in "enforce" mode.
In complain mode, if a given action is not allowed, it will be allowed, but this violation will be
logged with a tag of access being "ALLOWED unconfined".
type: boolean
disabled:
default: false
description: Whether the profile is disabled and should be skipped
Expand Down
Loading
Loading