SECCOMP testing(DO NOT MERGE) #1
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| apiVersion: apiextensions.k8s.io/v1 | |
| kind: CustomResourceDefinition | |
| metadata: | |
| annotations: | |
| controller-gen.kubebuilder.io/version: v0.4.1 | |
| name: kubearmorpolicies.security.kubearmor.com | |
| spec: | |
| group: security.kubearmor.com | |
| names: | |
| kind: KubeArmorPolicy | |
| listKind: KubeArmorPolicyList | |
| plural: kubearmorpolicies | |
| shortNames: | |
| - ksp | |
| singular: kubearmorpolicy | |
| scope: Namespaced | |
| versions: | |
| - name: v1 | |
| schema: | |
| openAPIV3Schema: | |
| description: KubeArmorPolicy is the Schema for the kubearmorpolicies API | |
| properties: | |
| apiVersion: | |
| description: 'APIVersion defines the versioned schema of this representation | |
| of an object. Servers should convert recognized schemas to the latest | |
| internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' | |
| type: string | |
| kind: | |
| description: 'Kind is a string value representing the REST resource this | |
| object represents. Servers may infer this from the endpoint the client | |
| submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' | |
| type: string | |
| metadata: | |
| type: object | |
| spec: | |
| description: KubeArmorPolicySpec defines the desired state of KubeArmorPolicy | |
| properties: | |
| action: | |
| enum: | |
| - Allow | |
| - Audit | |
| - Block | |
| type: string | |
| apparmor: | |
| type: string | |
| capabilities: | |
| properties: | |
| action: | |
| enum: | |
| - Allow | |
| - Audit | |
| - Block | |
| type: string | |
| matchCapabilities: | |
| items: | |
| properties: | |
| action: | |
| enum: | |
| - Allow | |
| - Audit | |
| - Block | |
| type: string | |
| capability: | |
| pattern: (chown|dac_override|dac_read_search|fowner|fsetid|kill|setgid|setuid|setpcap|linux_immutable|net_bind_service|net_broadcast|net_admin|net_raw|ipc_lock|ipc_owner|sys_module|sys_rawio|sys_chroot|sys_ptrace|sys_pacct|sys_admin|sys_boot|sys_nice|sys_resource|sys_time|sys_tty_config|mknod|lease|audit_write|audit_control|setfcap|mac_override|mac_admin)$ | |
| type: string | |
| fromSource: | |
| items: | |
| properties: | |
| path: | |
| pattern: ^\/+.*[^\/]$ | |
| type: string | |
| type: object | |
| type: array | |
| message: | |
| type: string | |
| severity: | |
| maximum: 10 | |
| minimum: 1 | |
| type: integer | |
| tags: | |
| items: | |
| type: string | |
| type: array | |
| required: | |
| - capability | |
| type: object | |
| type: array | |
| message: | |
| type: string | |
| severity: | |
| maximum: 10 | |
| minimum: 1 | |
| type: integer | |
| tags: | |
| items: | |
| type: string | |
| type: array | |
| required: | |
| - matchCapabilities | |
| type: object | |
| file: | |
| properties: | |
| action: | |
| enum: | |
| - Allow | |
| - Audit | |
| - Block | |
| type: string | |
| matchDirectories: | |
| items: | |
| properties: | |
| action: | |
| enum: | |
| - Allow | |
| - Audit | |
| - Block | |
| type: string | |
| dir: | |
| pattern: ^\/$|^\/.*\/$ | |
| type: string | |
| fromSource: | |
| items: | |
| properties: | |
| path: | |
| pattern: ^\/+.*[^\/]$ | |
| type: string | |
| type: object | |
| type: array | |
| message: | |
| type: string | |
| ownerOnly: | |
| type: boolean | |
| readOnly: | |
| type: boolean | |
| recursive: | |
| type: boolean | |
| severity: | |
| maximum: 10 | |
| minimum: 1 | |
| type: integer | |
| tags: | |
| items: | |
| type: string | |
| type: array | |
| required: | |
| - dir | |
| type: object | |
| type: array | |
| matchPaths: | |
| items: | |
| properties: | |
| action: | |
| enum: | |
| - Allow | |
| - Audit | |
| - Block | |
| type: string | |
| fromSource: | |
| items: | |
| properties: | |
| path: | |
| pattern: ^\/+.*[^\/]$ | |
| type: string | |
| type: object | |
| type: array | |
| message: | |
| type: string | |
| ownerOnly: | |
| type: boolean | |
| path: | |
| pattern: ^\/+.*[^\/]$ | |
| type: string | |
| readOnly: | |
| type: boolean | |
| severity: | |
| maximum: 10 | |
| minimum: 1 | |
| type: integer | |
| tags: | |
| items: | |
| type: string | |
| type: array | |
| required: | |
| - path | |
| type: object | |
| type: array | |
| matchPatterns: | |
| items: | |
| properties: | |
| action: | |
| enum: | |
| - Allow | |
| - Audit | |
| - Block | |
| type: string | |
| message: | |
| type: string | |
| ownerOnly: | |
| type: boolean | |
| pattern: | |
| type: string | |
| readOnly: | |
| type: boolean | |
| severity: | |
| maximum: 10 | |
| minimum: 1 | |
| type: integer | |
| tags: | |
| items: | |
| type: string | |
| type: array | |
| required: | |
| - pattern | |
| type: object | |
| type: array | |
| message: | |
| type: string | |
| severity: | |
| maximum: 10 | |
| minimum: 1 | |
| type: integer | |
| tags: | |
| items: | |
| type: string | |
| type: array | |
| type: object | |
| message: | |
| type: string | |
| network: | |
| properties: | |
| action: | |
| enum: | |
| - Allow | |
| - Audit | |
| - Block | |
| type: string | |
| matchProtocols: | |
| items: | |
| properties: | |
| action: | |
| enum: | |
| - Allow | |
| - Audit | |
| - Block | |
| type: string | |
| fromSource: | |
| items: | |
| properties: | |
| path: | |
| pattern: ^\/+.*[^\/]$ | |
| type: string | |
| type: object | |
| type: array | |
| message: | |
| type: string | |
| protocol: | |
| pattern: (icmp|ICMP|tcp|TCP|udp|UDP|raw|RAW)$ | |
| type: string | |
| severity: | |
| maximum: 10 | |
| minimum: 1 | |
| type: integer | |
| tags: | |
| items: | |
| type: string | |
| type: array | |
| required: | |
| - protocol | |
| type: object | |
| type: array | |
| message: | |
| type: string | |
| severity: | |
| maximum: 10 | |
| minimum: 1 | |
| type: integer | |
| tags: | |
| items: | |
| type: string | |
| type: array | |
| required: | |
| - matchProtocols | |
| type: object | |
| process: | |
| properties: | |
| action: | |
| enum: | |
| - Allow | |
| - Audit | |
| - Block | |
| type: string | |
| matchDirectories: | |
| items: | |
| properties: | |
| action: | |
| enum: | |
| - Allow | |
| - Audit | |
| - Block | |
| type: string | |
| dir: | |
| pattern: ^\/$|^\/.*\/$ | |
| type: string | |
| fromSource: | |
| items: | |
| properties: | |
| path: | |
| pattern: ^\/+.*[^\/]$ | |
| type: string | |
| type: object | |
| type: array | |
| message: | |
| type: string | |
| ownerOnly: | |
| type: boolean | |
| recursive: | |
| type: boolean | |
| severity: | |
| maximum: 10 | |
| minimum: 1 | |
| type: integer | |
| tags: | |
| items: | |
| type: string | |
| type: array | |
| required: | |
| - dir | |
| type: object | |
| type: array | |
| matchPaths: | |
| items: | |
| properties: | |
| action: | |
| enum: | |
| - Allow | |
| - Audit | |
| - Block | |
| type: string | |
| fromSource: | |
| items: | |
| properties: | |
| path: | |
| pattern: ^\/+.*[^\/]$ | |
| type: string | |
| type: object | |
| type: array | |
| message: | |
| type: string | |
| ownerOnly: | |
| type: boolean | |
| path: | |
| pattern: ^\/+.*[^\/]$ | |
| type: string | |
| severity: | |
| maximum: 10 | |
| minimum: 1 | |
| type: integer | |
| tags: | |
| items: | |
| type: string | |
| type: array | |
| required: | |
| - path | |
| type: object | |
| type: array | |
| matchPatterns: | |
| items: | |
| properties: | |
| action: | |
| enum: | |
| - Allow | |
| - Audit | |
| - Block | |
| type: string | |
| message: | |
| type: string | |
| ownerOnly: | |
| type: boolean | |
| pattern: | |
| type: string | |
| severity: | |
| maximum: 10 | |
| minimum: 1 | |
| type: integer | |
| tags: | |
| items: | |
| type: string | |
| type: array | |
| required: | |
| - pattern | |
| type: object | |
| type: array | |
| message: | |
| type: string | |
| severity: | |
| maximum: 10 | |
| minimum: 1 | |
| type: integer | |
| tags: | |
| items: | |
| type: string | |
| type: array | |
| type: object | |
| selector: | |
| properties: | |
| matchLabels: | |
| additionalProperties: | |
| type: string | |
| type: object | |
| type: object | |
| severity: | |
| maximum: 10 | |
| minimum: 1 | |
| type: integer | |
| syscalls: | |
| properties: | |
| matchPaths: | |
| items: | |
| properties: | |
| fromSource: | |
| items: | |
| properties: | |
| dir: | |
| type: string | |
| path: | |
| pattern: ^\/+.*[^\/]$ | |
| type: string | |
| recursive: | |
| type: boolean | |
| type: object | |
| type: array | |
| path: | |
| pattern: (^\/+.*[^\/]$)|(^\/$|^\/.*\/$) | |
| type: string | |
| recursive: | |
| type: boolean | |
| syscall: | |
| items: | |
| enum: | |
| - read | |
| - write | |
| - open | |
| - close | |
| - stat | |
| - fstat | |
| - lstat | |
| - poll | |
| - lseek | |
| - mmap | |
| - mprotect | |
| - munmap | |
| - brk | |
| - rt_sigaction | |
| - rt_sigprocmask | |
| - rt_sigreturn | |
| - ioctl | |
| - pread64 | |
| - pwrite64 | |
| - readv | |
| - writev | |
| - access | |
| - pipe | |
| - select | |
| - sched_yield | |
| - mremap | |
| - msync | |
| - mincore | |
| - madvise | |
| - shmget | |
| - shmat | |
| - shmctl | |
| - dup | |
| - dup2 | |
| - pause | |
| - nanosleep | |
| - getitimer | |
| - alarm | |
| - setitimer | |
| - getpid | |
| - sendfile | |
| - socket | |
| - connect | |
| - accept | |
| - sendto | |
| - recvfrom | |
| - sendmsg | |
| - recvmsg | |
| - shutdown | |
| - bind | |
| - listen | |
| - getsockname | |
| - getpeername | |
| - socketpair | |
| - setsockopt | |
| - getsockopt | |
| - clone | |
| - fork | |
| - vfork | |
| - execve | |
| - exit | |
| - wait4 | |
| - kill | |
| - uname | |
| - semget | |
| - semop | |
| - semctl | |
| - shmdt | |
| - msgget | |
| - msgsnd | |
| - msgrcv | |
| - msgctl | |
| - fcntl | |
| - flock | |
| - fsync | |
| - fdatasync | |
| - truncate | |
| - ftruncate | |
| - getdents | |
| - getcwd | |
| - chdir | |
| - fchdir | |
| - rename | |
| - mkdir | |
| - rmdir | |
| - creat | |
| - link | |
| - unlink | |
| - symlink | |
| - readlink | |
| - chmod | |
| - fchmod | |
| - chown | |
| - fchown | |
| - lchown | |
| - umask | |
| - gettimeofday | |
| - getrlimit | |
| - getrusage | |
| - sysinfo | |
| - times | |
| - ptrace | |
| - getuid | |
| - syslog | |
| - getgid | |
| - setuid | |
| - setgid | |
| - geteuid | |
| - getegid | |
| - setpgid | |
| - getppid | |
| - getpgrp | |
| - setsid | |
| - setreuid | |
| - setregid | |
| - getgroups | |
| - setgroups | |
| - setresuid | |
| - getresuid | |
| - setresgid | |
| - getresgid | |
| - getpgid | |
| - setfsuid | |
| - setfsgid | |
| - getsid | |
| - capget | |
| - capset | |
| - rt_sigpending | |
| - rt_sigtimedwait | |
| - rt_sigqueueinfo | |
| - rt_sigsuspend | |
| - sigaltstack | |
| - utime | |
| - mknod | |
| - uselib | |
| - personality | |
| - ustat | |
| - statfs | |
| - fstatfs | |
| - sysfs | |
| - getpriority | |
| - setpriority | |
| - sched_setparam | |
| - sched_getparam | |
| - sched_setscheduler | |
| - sched_getscheduler | |
| - sched_get_priority_max | |
| - sched_get_priority_min | |
| - sched_rr_get_interval | |
| - mlock | |
| - munlock | |
| - mlockall | |
| - munlockall | |
| - vhangup | |
| - modify_ldt | |
| - pivot_root | |
| - _sysctl | |
| - prctl | |
| - arch_prctl | |
| - adjtimex | |
| - setrlimit | |
| - chroot | |
| - sync | |
| - acct | |
| - settimeofday | |
| - mount | |
| - umount2 | |
| - swapon | |
| - swapoff | |
| - reboot | |
| - sethostname | |
| - setdomainname | |
| - iopl | |
| - ioperm | |
| - create_module | |
| - init_module | |
| - delete_module | |
| - get_kernel_syms | |
| - query_module | |
| - quotactl | |
| - nfsservctl | |
| - getpmsg | |
| - putpmsg | |
| - afs_syscall | |
| - tuxcall | |
| - security | |
| - gettid | |
| - readahead | |
| - setxattr | |
| - lsetxattr | |
| - fsetxattr | |
| - getxattr | |
| - lgetxattr | |
| - fgetxattr | |
| - listxattr | |
| - llistxattr | |
| - flistxattr | |
| - removexattr | |
| - lremovexattr | |
| - fremovexattr | |
| - tkill | |
| - time | |
| - futex | |
| - sched_setaffinity | |
| - sched_getaffinity | |
| - set_thread_area | |
| - io_setup | |
| - io_destroy | |
| - io_getevents | |
| - io_submit | |
| - io_cancel | |
| - get_thread_area | |
| - lookup_dcookie | |
| - epoll_create | |
| - epoll_ctl_old | |
| - epoll_wait_old | |
| - remap_file_pages | |
| - getdents64 | |
| - set_tid_address | |
| - restart_syscall | |
| - semtimedop | |
| - fadvise64 | |
| - timer_create | |
| - timer_settime | |
| - timer_gettime | |
| - timer_getoverrun | |
| - timer_delete | |
| - clock_settime | |
| - clock_gettime | |
| - clock_getres | |
| - clock_nanosleep | |
| - exit_group | |
| - epoll_wait | |
| - epoll_ctl | |
| - tgkill | |
| - utimes | |
| - vserver | |
| - mbind | |
| - set_mempolicy | |
| - get_mempolicy | |
| - mq_open | |
| - mq_unlink | |
| - mq_timedsend | |
| - mq_timedreceive | |
| - mq_notify | |
| - mq_getsetattr | |
| - kexec_load | |
| - waitid | |
| - add_key | |
| - request_key | |
| - keyctl | |
| - ioprio_set | |
| - ioprio_get | |
| - inotify_init | |
| - inotify_add_watch | |
| - inotify_rm_watch | |
| - migrate_pages | |
| - openat | |
| - mkdirat | |
| - mknodat | |
| - fchownat | |
| - futimesat | |
| - newfstatat | |
| - unlinkat | |
| - renameat | |
| - linkat | |
| - symlinkat | |
| - readlinkat | |
| - fchmodat | |
| - faccessat | |
| - pselect6 | |
| - ppoll | |
| - unshare | |
| - set_robust_list | |
| - get_robust_list | |
| - splice | |
| - tee | |
| - sync_file_range | |
| - vmsplice | |
| - move_pages | |
| - utimensat | |
| - epoll_pwait | |
| - signalfd | |
| - timerfd_create | |
| - eventfd | |
| - fallocate | |
| - timerfd_settime | |
| - timerfd_gettime | |
| - accept4 | |
| - signalfd4 | |
| - eventfd2 | |
| - epoll_create1 | |
| - dup3 | |
| - pipe2 | |
| - inotify_init1 | |
| - preadv | |
| - pwritev | |
| - rt_tgsigqueueinfo | |
| - perf_event_open | |
| - recvmmsg | |
| - fanotify_init | |
| - fanotify_mark | |
| - prlimit64 | |
| - name_to_handle_at | |
| - open_by_handle_at | |
| - clock_adjtime | |
| - syncfs | |
| - sendmmsg | |
| - setns | |
| - getcpu | |
| - process_vm_readv | |
| - process_vm_writev | |
| - kcmp | |
| - finit_module | |
| - sched_setattr | |
| - sched_getattr | |
| - renameat2 | |
| - seccomp | |
| - getrandom | |
| - memfd_create | |
| - kexec_file_load | |
| - bpf | |
| - execveat | |
| - userfaultfd | |
| - membarrier | |
| - mlock2 | |
| - copy_file_range | |
| - preadv2 | |
| - pwritev2 | |
| - pkey_mprotect | |
| - pkey_alloc | |
| - pkey_free | |
| - statx | |
| - io_pgetevents | |
| - rseq | |
| type: string | |
| type: array | |
| type: object | |
| type: array | |
| matchSyscalls: | |
| items: | |
| properties: | |
| fromSource: | |
| items: | |
| properties: | |
| dir: | |
| type: string | |
| path: | |
| pattern: ^\/+.*[^\/]$ | |
| type: string | |
| recursive: | |
| type: boolean | |
| type: object | |
| type: array | |
| syscall: | |
| items: | |
| enum: | |
| - read | |
| - write | |
| - open | |
| - close | |
| - stat | |
| - fstat | |
| - lstat | |
| - poll | |
| - lseek | |
| - mmap | |
| - mprotect | |
| - munmap | |
| - brk | |
| - rt_sigaction | |
| - rt_sigprocmask | |
| - rt_sigreturn | |
| - ioctl | |
| - pread64 | |
| - pwrite64 | |
| - readv | |
| - writev | |
| - access | |
| - pipe | |
| - select | |
| - sched_yield | |
| - mremap | |
| - msync | |
| - mincore | |
| - madvise | |
| - shmget | |
| - shmat | |
| - shmctl | |
| - dup | |
| - dup2 | |
| - pause | |
| - nanosleep | |
| - getitimer | |
| - alarm | |
| - setitimer | |
| - getpid | |
| - sendfile | |
| - socket | |
| - connect | |
| - accept | |
| - sendto | |
| - recvfrom | |
| - sendmsg | |
| - recvmsg | |
| - shutdown | |
| - bind | |
| - listen | |
| - getsockname | |
| - getpeername | |
| - socketpair | |
| - setsockopt | |
| - getsockopt | |
| - clone | |
| - fork | |
| - vfork | |
| - execve | |
| - exit | |
| - wait4 | |
| - kill | |
| - uname | |
| - semget | |
| - semop | |
| - semctl | |
| - shmdt | |
| - msgget | |
| - msgsnd | |
| - msgrcv | |
| - msgctl | |
| - fcntl | |
| - flock | |
| - fsync | |
| - fdatasync | |
| - truncate | |
| - ftruncate | |
| - getdents | |
| - getcwd | |
| - chdir | |
| - fchdir | |
| - rename | |
| - mkdir | |
| - rmdir | |
| - creat | |
| - link | |
| - unlink | |
| - symlink | |
| - readlink | |
| - chmod | |
| - fchmod | |
| - chown | |
| - fchown | |
| - lchown | |
| - umask | |
| - gettimeofday | |
| - getrlimit | |
| - getrusage | |
| - sysinfo | |
| - times | |
| - ptrace | |
| - getuid | |
| - syslog | |
| - getgid | |
| - setuid | |
| - setgid | |
| - geteuid | |
| - getegid | |
| - setpgid | |
| - getppid | |
| - getpgrp | |
| - setsid | |
| - setreuid | |
| - setregid | |
| - getgroups | |
| - setgroups | |
| - setresuid | |
| - getresuid | |
| - setresgid | |
| - getresgid | |
| - getpgid | |
| - setfsuid | |
| - setfsgid | |
| - getsid | |
| - capget | |
| - capset | |
| - rt_sigpending | |
| - rt_sigtimedwait | |
| - rt_sigqueueinfo | |
| - rt_sigsuspend | |
| - sigaltstack | |
| - utime | |
| - mknod | |
| - uselib | |
| - personality | |
| - ustat | |
| - statfs | |
| - fstatfs | |
| - sysfs | |
| - getpriority | |
| - setpriority | |
| - sched_setparam | |
| - sched_getparam | |
| - sched_setscheduler | |
| - sched_getscheduler | |
| - sched_get_priority_max | |
| - sched_get_priority_min | |
| - sched_rr_get_interval | |
| - mlock | |
| - munlock | |
| - mlockall | |
| - munlockall | |
| - vhangup | |
| - modify_ldt | |
| - pivot_root | |
| - _sysctl | |
| - prctl | |
| - arch_prctl | |
| - adjtimex | |
| - setrlimit | |
| - chroot | |
| - sync | |
| - acct | |
| - settimeofday | |
| - mount | |
| - umount2 | |
| - swapon | |
| - swapoff | |
| - reboot | |
| - sethostname | |
| - setdomainname | |
| - iopl | |
| - ioperm | |
| - create_module | |
| - init_module | |
| - delete_module | |
| - get_kernel_syms | |
| - query_module | |
| - quotactl | |
| - nfsservctl | |
| - getpmsg | |
| - putpmsg | |
| - afs_syscall | |
| - tuxcall | |
| - security | |
| - gettid | |
| - readahead | |
| - setxattr | |
| - lsetxattr | |
| - fsetxattr | |
| - getxattr | |
| - lgetxattr | |
| - fgetxattr | |
| - listxattr | |
| - llistxattr | |
| - flistxattr | |
| - removexattr | |
| - lremovexattr | |
| - fremovexattr | |
| - tkill | |
| - time | |
| - futex | |
| - sched_setaffinity | |
| - sched_getaffinity | |
| - set_thread_area | |
| - io_setup | |
| - io_destroy | |
| - io_getevents | |
| - io_submit | |
| - io_cancel | |
| - get_thread_area | |
| - lookup_dcookie | |
| - epoll_create | |
| - epoll_ctl_old | |
| - epoll_wait_old | |
| - remap_file_pages | |
| - getdents64 | |
| - set_tid_address | |
| - restart_syscall | |
| - semtimedop | |
| - fadvise64 | |
| - timer_create | |
| - timer_settime | |
| - timer_gettime | |
| - timer_getoverrun | |
| - timer_delete | |
| - clock_settime | |
| - clock_gettime | |
| - clock_getres | |
| - clock_nanosleep | |
| - exit_group | |
| - epoll_wait | |
| - epoll_ctl | |
| - tgkill | |
| - utimes | |
| - vserver | |
| - mbind | |
| - set_mempolicy | |
| - get_mempolicy | |
| - mq_open | |
| - mq_unlink | |
| - mq_timedsend | |
| - mq_timedreceive | |
| - mq_notify | |
| - mq_getsetattr | |
| - kexec_load | |
| - waitid | |
| - add_key | |
| - request_key | |
| - keyctl | |
| - ioprio_set | |
| - ioprio_get | |
| - inotify_init | |
| - inotify_add_watch | |
| - inotify_rm_watch | |
| - migrate_pages | |
| - openat | |
| - mkdirat | |
| - mknodat | |
| - fchownat | |
| - futimesat | |
| - newfstatat | |
| - unlinkat | |
| - renameat | |
| - linkat | |
| - symlinkat | |
| - readlinkat | |
| - fchmodat | |
| - faccessat | |
| - pselect6 | |
| - ppoll | |
| - unshare | |
| - set_robust_list | |
| - get_robust_list | |
| - splice | |
| - tee | |
| - sync_file_range | |
| - vmsplice | |
| - move_pages | |
| - utimensat | |
| - epoll_pwait | |
| - signalfd | |
| - timerfd_create | |
| - eventfd | |
| - fallocate | |
| - timerfd_settime | |
| - timerfd_gettime | |
| - accept4 | |
| - signalfd4 | |
| - eventfd2 | |
| - epoll_create1 | |
| - dup3 | |
| - pipe2 | |
| - inotify_init1 | |
| - preadv | |
| - pwritev | |
| - rt_tgsigqueueinfo | |
| - perf_event_open | |
| - recvmmsg | |
| - fanotify_init | |
| - fanotify_mark | |
| - prlimit64 | |
| - name_to_handle_at | |
| - open_by_handle_at | |
| - clock_adjtime | |
| - syncfs | |
| - sendmmsg | |
| - setns | |
| - getcpu | |
| - process_vm_readv | |
| - process_vm_writev | |
| - kcmp | |
| - finit_module | |
| - sched_setattr | |
| - sched_getattr | |
| - renameat2 | |
| - seccomp | |
| - getrandom | |
| - memfd_create | |
| - kexec_file_load | |
| - bpf | |
| - execveat | |
| - userfaultfd | |
| - membarrier | |
| - mlock2 | |
| - copy_file_range | |
| - preadv2 | |
| - pwritev2 | |
| - pkey_mprotect | |
| - pkey_alloc | |
| - pkey_free | |
| - statx | |
| - io_pgetevents | |
| - rseq | |
| type: string | |
| type: array | |
| type: object | |
| type: array | |
| message: | |
| type: string | |
| severity: | |
| maximum: 10 | |
| minimum: 1 | |
| type: integer | |
| tags: | |
| items: | |
| type: string | |
| type: array | |
| type: object | |
| tags: | |
| items: | |
| type: string | |
| type: array | |
| type: object | |
| status: | |
| description: KubeArmorPolicyStatus defines the observed state of KubeArmorPolicy | |
| properties: | |
| status: | |
| type: string | |
| type: object | |
| type: object | |
| served: true | |
| storage: true | |
| subresources: | |
| status: {} | |
| --- | |
| apiVersion: apiextensions.k8s.io/v1 | |
| kind: CustomResourceDefinition | |
| metadata: | |
| annotations: | |
| controller-gen.kubebuilder.io/version: v0.4.1 | |
| name: kubearmorhostpolicies.security.kubearmor.com | |
| spec: | |
| group: security.kubearmor.com | |
| names: | |
| kind: KubeArmorHostPolicy | |
| listKind: KubeArmorHostPolicyList | |
| plural: kubearmorhostpolicies | |
| shortNames: | |
| - hsp | |
| singular: kubearmorhostpolicy | |
| scope: Cluster | |
| versions: | |
| - name: v1 | |
| schema: | |
| openAPIV3Schema: | |
| description: KubeArmorHostPolicy is the Schema for the kubearmorhostpolicies | |
| API | |
| properties: | |
| apiVersion: | |
| description: 'APIVersion defines the versioned schema of this representation | |
| of an object. Servers should convert recognized schemas to the latest | |
| internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' | |
| type: string | |
| kind: | |
| description: 'Kind is a string value representing the REST resource this | |
| object represents. Servers may infer this from the endpoint the client | |
| submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' | |
| type: string | |
| metadata: | |
| type: object | |
| spec: | |
| description: KubeArmorHostPolicySpec defines the desired state of KubeArmorHostPolicy | |
| properties: | |
| action: | |
| enum: | |
| - Allow | |
| - Audit | |
| - Block | |
| type: string | |
| apparmor: | |
| type: string | |
| capabilities: | |
| properties: | |
| action: | |
| enum: | |
| - Allow | |
| - Audit | |
| - Block | |
| type: string | |
| matchCapabilities: | |
| items: | |
| properties: | |
| action: | |
| enum: | |
| - Allow | |
| - Audit | |
| - Block | |
| type: string | |
| capability: | |
| pattern: (chown|dac_override|dac_read_search|fowner|fsetid|kill|setgid|setuid|setpcap|linux_immutable|net_bind_service|net_broadcast|net_admin|net_raw|ipc_lock|ipc_owner|sys_module|sys_rawio|sys_chroot|sys_ptrace|sys_pacct|sys_admin|sys_boot|sys_nice|sys_resource|sys_time|sys_tty_config|mknod|lease|audit_write|audit_control|setfcap|mac_override|mac_admin)$ | |
| type: string | |
| fromSource: | |
| items: | |
| properties: | |
| path: | |
| pattern: ^\/+.*[^\/]$ | |
| type: string | |
| type: object | |
| type: array | |
| message: | |
| type: string | |
| severity: | |
| maximum: 10 | |
| minimum: 1 | |
| type: integer | |
| tags: | |
| items: | |
| type: string | |
| type: array | |
| required: | |
| - capability | |
| - fromSource | |
| type: object | |
| type: array | |
| message: | |
| type: string | |
| severity: | |
| maximum: 10 | |
| minimum: 1 | |
| type: integer | |
| tags: | |
| items: | |
| type: string | |
| type: array | |
| required: | |
| - matchCapabilities | |
| type: object | |
| file: | |
| properties: | |
| action: | |
| enum: | |
| - Allow | |
| - Audit | |
| - Block | |
| type: string | |
| matchDirectories: | |
| items: | |
| properties: | |
| action: | |
| enum: | |
| - Allow | |
| - Audit | |
| - Block | |
| type: string | |
| dir: | |
| pattern: ^\/$|^\/.*\/$ | |
| type: string | |
| fromSource: | |
| items: | |
| properties: | |
| path: | |
| pattern: ^\/+.*[^\/]$ | |
| type: string | |
| type: object | |
| type: array | |
| message: | |
| type: string | |
| ownerOnly: | |
| type: boolean | |
| readOnly: | |
| type: boolean | |
| recursive: | |
| type: boolean | |
| severity: | |
| maximum: 10 | |
| minimum: 1 | |
| type: integer | |
| tags: | |
| items: | |
| type: string | |
| type: array | |
| required: | |
| - dir | |
| type: object | |
| type: array | |
| matchPaths: | |
| items: | |
| properties: | |
| action: | |
| enum: | |
| - Allow | |
| - Audit | |
| - Block | |
| type: string | |
| fromSource: | |
| items: | |
| properties: | |
| path: | |
| pattern: ^\/+.*[^\/]$ | |
| type: string | |
| type: object | |
| type: array | |
| message: | |
| type: string | |
| ownerOnly: | |
| type: boolean | |
| path: | |
| pattern: ^\/+.*[^\/]$ | |
| type: string | |
| readOnly: | |
| type: boolean | |
| severity: | |
| maximum: 10 | |
| minimum: 1 | |
| type: integer | |
| tags: | |
| items: | |
| type: string | |
| type: array | |
| required: | |
| - path | |
| type: object | |
| type: array | |
| matchPatterns: | |
| items: | |
| properties: | |
| action: | |
| enum: | |
| - Allow | |
| - Audit | |
| - Block | |
| type: string | |
| message: | |
| type: string | |
| ownerOnly: | |
| type: boolean | |
| pattern: | |
| type: string | |
| readOnly: | |
| type: boolean | |
| severity: | |
| maximum: 10 | |
| minimum: 1 | |
| type: integer | |
| tags: | |
| items: | |
| type: string | |
| type: array | |
| required: | |
| - pattern | |
| type: object | |
| type: array | |
| message: | |
| type: string | |
| severity: | |
| maximum: 10 | |
| minimum: 1 | |
| type: integer | |
| tags: | |
| items: | |
| type: string | |
| type: array | |
| type: object | |
| message: | |
| type: string | |
| network: | |
| properties: | |
| action: | |
| enum: | |
| - Allow | |
| - Audit | |
| - Block | |
| type: string | |
| matchProtocols: | |
| items: | |
| properties: | |
| action: | |
| enum: | |
| - Allow | |
| - Audit | |
| - Block | |
| type: string | |
| fromSource: | |
| items: | |
| properties: | |
| path: | |
| pattern: ^\/+.*[^\/]$ | |
| type: string | |
| type: object | |
| type: array | |
| message: | |
| type: string | |
| protocol: | |
| pattern: (icmp|ICMP|tcp|TCP|udp|UDP|raw|RAW)$ | |
| type: string | |
| severity: | |
| maximum: 10 | |
| minimum: 1 | |
| type: integer | |
| tags: | |
| items: | |
| type: string | |
| type: array | |
| required: | |
| - fromSource | |
| - protocol | |
| type: object | |
| type: array | |
| message: | |
| type: string | |
| severity: | |
| maximum: 10 | |
| minimum: 1 | |
| type: integer | |
| tags: | |
| items: | |
| type: string | |
| type: array | |
| required: | |
| - matchProtocols | |
| type: object | |
| nodeSelector: | |
| properties: | |
| matchLabels: | |
| additionalProperties: | |
| type: string | |
| type: object | |
| type: object | |
| process: | |
| properties: | |
| action: | |
| enum: | |
| - Allow | |
| - Audit | |
| - Block | |
| type: string | |
| matchDirectories: | |
| items: | |
| properties: | |
| action: | |
| enum: | |
| - Allow | |
| - Audit | |
| - Block | |
| type: string | |
| dir: | |
| pattern: ^\/$|^\/.*\/$ | |
| type: string | |
| fromSource: | |
| items: | |
| properties: | |
| path: | |
| pattern: ^\/+.*[^\/]$ | |
| type: string | |
| type: object | |
| type: array | |
| message: | |
| type: string | |
| ownerOnly: | |
| type: boolean | |
| recursive: | |
| type: boolean | |
| severity: | |
| maximum: 10 | |
| minimum: 1 | |
| type: integer | |
| tags: | |
| items: | |
| type: string | |
| type: array | |
| required: | |
| - dir | |
| type: object | |
| type: array | |
| matchPaths: | |
| items: | |
| properties: | |
| action: | |
| enum: | |
| - Allow | |
| - Audit | |
| - Block | |
| type: string | |
| fromSource: | |
| items: | |
| properties: | |
| path: | |
| pattern: ^\/+.*[^\/]$ | |
| type: string | |
| type: object | |
| type: array | |
| message: | |
| type: string | |
| ownerOnly: | |
| type: boolean | |
| path: | |
| pattern: ^\/+.*[^\/]$ | |
| type: string | |
| severity: | |
| maximum: 10 | |
| minimum: 1 | |
| type: integer | |
| tags: | |
| items: | |
| type: string | |
| type: array | |
| required: | |
| - path | |
| type: object | |
| type: array | |
| matchPatterns: | |
| items: | |
| properties: | |
| action: | |
| enum: | |
| - Allow | |
| - Audit | |
| - Block | |
| type: string | |
| message: | |
| type: string | |
| ownerOnly: | |
| type: boolean | |
| pattern: | |
| type: string | |
| severity: | |
| maximum: 10 | |
| minimum: 1 | |
| type: integer | |
| tags: | |
| items: | |
| type: string | |
| type: array | |
| required: | |
| - pattern | |
| type: object | |
| type: array | |
| message: | |
| type: string | |
| severity: | |
| maximum: 10 | |
| minimum: 1 | |
| type: integer | |
| tags: | |
| items: | |
| type: string | |
| type: array | |
| type: object | |
| severity: | |
| maximum: 10 | |
| minimum: 1 | |
| type: integer | |
| syscalls: | |
| properties: | |
| matchPaths: | |
| items: | |
| properties: | |
| fromSource: | |
| items: | |
| properties: | |
| dir: | |
| type: string | |
| path: | |
| pattern: ^\/+.*[^\/]$ | |
| type: string | |
| recursive: | |
| type: boolean | |
| type: object | |
| type: array | |
| path: | |
| pattern: (^\/+.*[^\/]$)|(^\/$|^\/.*\/$) | |
| type: string | |
| recursive: | |
| type: boolean | |
| syscall: | |
| items: | |
| enum: | |
| - read | |
| - write | |
| - open | |
| - close | |
| - stat | |
| - fstat | |
| - lstat | |
| - poll | |
| - lseek | |
| - mmap | |
| - mprotect | |
| - munmap | |
| - brk | |
| - rt_sigaction | |
| - rt_sigprocmask | |
| - rt_sigreturn | |
| - ioctl | |
| - pread64 | |
| - pwrite64 | |
| - readv | |
| - writev | |
| - access | |
| - pipe | |
| - select | |
| - sched_yield | |
| - mremap | |
| - msync | |
| - mincore | |
| - madvise | |
| - shmget | |
| - shmat | |
| - shmctl | |
| - dup | |
| - dup2 | |
| - pause | |
| - nanosleep | |
| - getitimer | |
| - alarm | |
| - setitimer | |
| - getpid | |
| - sendfile | |
| - socket | |
| - connect | |
| - accept | |
| - sendto | |
| - recvfrom | |
| - sendmsg | |
| - recvmsg | |
| - shutdown | |
| - bind | |
| - listen | |
| - getsockname | |
| - getpeername | |
| - socketpair | |
| - setsockopt | |
| - getsockopt | |
| - clone | |
| - fork | |
| - vfork | |
| - execve | |
| - exit | |
| - wait4 | |
| - kill | |
| - uname | |
| - semget | |
| - semop | |
| - semctl | |
| - shmdt | |
| - msgget | |
| - msgsnd | |
| - msgrcv | |
| - msgctl | |
| - fcntl | |
| - flock | |
| - fsync | |
| - fdatasync | |
| - truncate | |
| - ftruncate | |
| - getdents | |
| - getcwd | |
| - chdir | |
| - fchdir | |
| - rename | |
| - mkdir | |
| - rmdir | |
| - creat | |
| - link | |
| - unlink | |
| - symlink | |
| - readlink | |
| - chmod | |
| - fchmod | |
| - chown | |
| - fchown | |
| - lchown | |
| - umask | |
| - gettimeofday | |
| - getrlimit | |
| - getrusage | |
| - sysinfo | |
| - times | |
| - ptrace | |
| - getuid | |
| - syslog | |
| - getgid | |
| - setuid | |
| - setgid | |
| - geteuid | |
| - getegid | |
| - setpgid | |
| - getppid | |
| - getpgrp | |
| - setsid | |
| - setreuid | |
| - setregid | |
| - getgroups | |
| - setgroups | |
| - setresuid | |
| - getresuid | |
| - setresgid | |
| - getresgid | |
| - getpgid | |
| - setfsuid | |
| - setfsgid | |
| - getsid | |
| - capget | |
| - capset | |
| - rt_sigpending | |
| - rt_sigtimedwait | |
| - rt_sigqueueinfo | |
| - rt_sigsuspend | |
| - sigaltstack | |
| - utime | |
| - mknod | |
| - uselib | |
| - personality | |
| - ustat | |
| - statfs | |
| - fstatfs | |
| - sysfs | |
| - getpriority | |
| - setpriority | |
| - sched_setparam | |
| - sched_getparam | |
| - sched_setscheduler | |
| - sched_getscheduler | |
| - sched_get_priority_max | |
| - sched_get_priority_min | |
| - sched_rr_get_interval | |
| - mlock | |
| - munlock | |
| - mlockall | |
| - munlockall | |
| - vhangup | |
| - modify_ldt | |
| - pivot_root | |
| - _sysctl | |
| - prctl | |
| - arch_prctl | |
| - adjtimex | |
| - setrlimit | |
| - chroot | |
| - sync | |
| - acct | |
| - settimeofday | |
| - mount | |
| - umount2 | |
| - swapon | |
| - swapoff | |
| - reboot | |
| - sethostname | |
| - setdomainname | |
| - iopl | |
| - ioperm | |
| - create_module | |
| - init_module | |
| - delete_module | |
| - get_kernel_syms | |
| - query_module | |
| - quotactl | |
| - nfsservctl | |
| - getpmsg | |
| - putpmsg | |
| - afs_syscall | |
| - tuxcall | |
| - security | |
| - gettid | |
| - readahead | |
| - setxattr | |
| - lsetxattr | |
| - fsetxattr | |
| - getxattr | |
| - lgetxattr | |
| - fgetxattr | |
| - listxattr | |
| - llistxattr | |
| - flistxattr | |
| - removexattr | |
| - lremovexattr | |
| - fremovexattr | |
| - tkill | |
| - time | |
| - futex | |
| - sched_setaffinity | |
| - sched_getaffinity | |
| - set_thread_area | |
| - io_setup | |
| - io_destroy | |
| - io_getevents | |
| - io_submit | |
| - io_cancel | |
| - get_thread_area | |
| - lookup_dcookie | |
| - epoll_create | |
| - epoll_ctl_old | |
| - epoll_wait_old | |
| - remap_file_pages | |
| - getdents64 | |
| - set_tid_address | |
| - restart_syscall | |
| - semtimedop | |
| - fadvise64 | |
| - timer_create | |
| - timer_settime | |
| - timer_gettime | |
| - timer_getoverrun | |
| - timer_delete | |
| - clock_settime | |
| - clock_gettime | |
| - clock_getres | |
| - clock_nanosleep | |
| - exit_group | |
| - epoll_wait | |
| - epoll_ctl | |
| - tgkill | |
| - utimes | |
| - vserver | |
| - mbind | |
| - set_mempolicy | |
| - get_mempolicy | |
| - mq_open | |
| - mq_unlink | |
| - mq_timedsend | |
| - mq_timedreceive | |
| - mq_notify | |
| - mq_getsetattr | |
| - kexec_load | |
| - waitid | |
| - add_key | |
| - request_key | |
| - keyctl | |
| - ioprio_set | |
| - ioprio_get | |
| - inotify_init | |
| - inotify_add_watch | |
| - inotify_rm_watch | |
| - migrate_pages | |
| - openat | |
| - mkdirat | |
| - mknodat | |
| - fchownat | |
| - futimesat | |
| - newfstatat | |
| - unlinkat | |
| - renameat | |
| - linkat | |
| - symlinkat | |
| - readlinkat | |
| - fchmodat | |
| - faccessat | |
| - pselect6 | |
| - ppoll | |
| - unshare | |
| - set_robust_list | |
| - get_robust_list | |
| - splice | |
| - tee | |
| - sync_file_range | |
| - vmsplice | |
| - move_pages | |
| - utimensat | |
| - epoll_pwait | |
| - signalfd | |
| - timerfd_create | |
| - eventfd | |
| - fallocate | |
| - timerfd_settime | |
| - timerfd_gettime | |
| - accept4 | |
| - signalfd4 | |
| - eventfd2 | |
| - epoll_create1 | |
| - dup3 | |
| - pipe2 | |
| - inotify_init1 | |
| - preadv | |
| - pwritev | |
| - rt_tgsigqueueinfo | |
| - perf_event_open | |
| - recvmmsg | |
| - fanotify_init | |
| - fanotify_mark | |
| - prlimit64 | |
| - name_to_handle_at | |
| - open_by_handle_at | |
| - clock_adjtime | |
| - syncfs | |
| - sendmmsg | |
| - setns | |
| - getcpu | |
| - process_vm_readv | |
| - process_vm_writev | |
| - kcmp | |
| - finit_module | |
| - sched_setattr | |
| - sched_getattr | |
| - renameat2 | |
| - seccomp | |
| - getrandom | |
| - memfd_create | |
| - kexec_file_load | |
| - bpf | |
| - execveat | |
| - userfaultfd | |
| - membarrier | |
| - mlock2 | |
| - copy_file_range | |
| - preadv2 | |
| - pwritev2 | |
| - pkey_mprotect | |
| - pkey_alloc | |
| - pkey_free | |
| - statx | |
| - io_pgetevents | |
| - rseq | |
| type: string | |
| type: array | |
| type: object | |
| type: array | |
| matchSyscalls: | |
| items: | |
| properties: | |
| fromSource: | |
| items: | |
| properties: | |
| dir: | |
| type: string | |
| path: | |
| pattern: ^\/+.*[^\/]$ | |
| type: string | |
| recursive: | |
| type: boolean | |
| type: object | |
| type: array | |
| syscall: | |
| items: | |
| enum: | |
| - read | |
| - write | |
| - open | |
| - close | |
| - stat | |
| - fstat | |
| - lstat | |
| - poll | |
| - lseek | |
| - mmap | |
| - mprotect | |
| - munmap | |
| - brk | |
| - rt_sigaction | |
| - rt_sigprocmask | |
| - rt_sigreturn | |
| - ioctl | |
| - pread64 | |
| - pwrite64 | |
| - readv | |
| - writev | |
| - access | |
| - pipe | |
| - select | |
| - sched_yield | |
| - mremap | |
| - msync | |
| - mincore | |
| - madvise | |
| - shmget | |
| - shmat | |
| - shmctl | |
| - dup | |
| - dup2 | |
| - pause | |
| - nanosleep | |
| - getitimer | |
| - alarm | |
| - setitimer | |
| - getpid | |
| - sendfile | |
| - socket | |
| - connect | |
| - accept | |
| - sendto | |
| - recvfrom | |
| - sendmsg | |
| - recvmsg | |
| - shutdown | |
| - bind | |
| - listen | |
| - getsockname | |
| - getpeername | |
| - socketpair | |
| - setsockopt | |
| - getsockopt | |
| - clone | |
| - fork | |
| - vfork | |
| - execve | |
| - exit | |
| - wait4 | |
| - kill | |
| - uname | |
| - semget | |
| - semop | |
| - semctl | |
| - shmdt | |
| - msgget | |
| - msgsnd | |
| - msgrcv | |
| - msgctl | |
| - fcntl | |
| - flock | |
| - fsync | |
| - fdatasync | |
| - truncate | |
| - ftruncate | |
| - getdents | |
| - getcwd | |
| - chdir | |
| - fchdir | |
| - rename | |
| - mkdir | |
| - rmdir | |
| - creat | |
| - link | |
| - unlink | |
| - symlink | |
| - readlink | |
| - chmod | |
| - fchmod | |
| - chown | |
| - fchown | |
| - lchown | |
| - umask | |
| - gettimeofday | |
| - getrlimit | |
| - getrusage | |
| - sysinfo | |
| - times | |
| - ptrace | |
| - getuid | |
| - syslog | |
| - getgid | |
| - setuid | |
| - setgid | |
| - geteuid | |
| - getegid | |
| - setpgid | |
| - getppid | |
| - getpgrp | |
| - setsid | |
| - setreuid | |
| - setregid | |
| - getgroups | |
| - setgroups | |
| - setresuid | |
| - getresuid | |
| - setresgid | |
| - getresgid | |
| - getpgid | |
| - setfsuid | |
| - setfsgid | |
| - getsid | |
| - capget | |
| - capset | |
| - rt_sigpending | |
| - rt_sigtimedwait | |
| - rt_sigqueueinfo | |
| - rt_sigsuspend | |
| - sigaltstack | |
| - utime | |
| - mknod | |
| - uselib | |
| - personality | |
| - ustat | |
| - statfs | |
| - fstatfs | |
| - sysfs | |
| - getpriority | |
| - setpriority | |
| - sched_setparam | |
| - sched_getparam | |
| - sched_setscheduler | |
| - sched_getscheduler | |
| - sched_get_priority_max | |
| - sched_get_priority_min | |
| - sched_rr_get_interval | |
| - mlock | |
| - munlock | |
| - mlockall | |
| - munlockall | |
| - vhangup | |
| - modify_ldt | |
| - pivot_root | |
| - _sysctl | |
| - prctl | |
| - arch_prctl | |
| - adjtimex | |
| - setrlimit | |
| - chroot | |
| - sync | |
| - acct | |
| - settimeofday | |
| - mount | |
| - umount2 | |
| - swapon | |
| - swapoff | |
| - reboot | |
| - sethostname | |
| - setdomainname | |
| - iopl | |
| - ioperm | |
| - create_module | |
| - init_module | |
| - delete_module | |
| - get_kernel_syms | |
| - query_module | |
| - quotactl | |
| - nfsservctl | |
| - getpmsg | |
| - putpmsg | |
| - afs_syscall | |
| - tuxcall | |
| - security | |
| - gettid | |
| - readahead | |
| - setxattr | |
| - lsetxattr | |
| - fsetxattr | |
| - getxattr | |
| - lgetxattr | |
| - fgetxattr | |
| - listxattr | |
| - llistxattr | |
| - flistxattr | |
| - removexattr | |
| - lremovexattr | |
| - fremovexattr | |
| - tkill | |
| - time | |
| - futex | |
| - sched_setaffinity | |
| - sched_getaffinity | |
| - set_thread_area | |
| - io_setup | |
| - io_destroy | |
| - io_getevents | |
| - io_submit | |
| - io_cancel | |
| - get_thread_area | |
| - lookup_dcookie | |
| - epoll_create | |
| - epoll_ctl_old | |
| - epoll_wait_old | |
| - remap_file_pages | |
| - getdents64 | |
| - set_tid_address | |
| - restart_syscall | |
| - semtimedop | |
| - fadvise64 | |
| - timer_create | |
| - timer_settime | |
| - timer_gettime | |
| - timer_getoverrun | |
| - timer_delete | |
| - clock_settime | |
| - clock_gettime | |
| - clock_getres | |
| - clock_nanosleep | |
| - exit_group | |
| - epoll_wait | |
| - epoll_ctl | |
| - tgkill | |
| - utimes | |
| - vserver | |
| - mbind | |
| - set_mempolicy | |
| - get_mempolicy | |
| - mq_open | |
| - mq_unlink | |
| - mq_timedsend | |
| - mq_timedreceive | |
| - mq_notify | |
| - mq_getsetattr | |
| - kexec_load | |
| - waitid | |
| - add_key | |
| - request_key | |
| - keyctl | |
| - ioprio_set | |
| - ioprio_get | |
| - inotify_init | |
| - inotify_add_watch | |
| - inotify_rm_watch | |
| - migrate_pages | |
| - openat | |
| - mkdirat | |
| - mknodat | |
| - fchownat | |
| - futimesat | |
| - newfstatat | |
| - unlinkat | |
| - renameat | |
| - linkat | |
| - symlinkat | |
| - readlinkat | |
| - fchmodat | |
| - faccessat | |
| - pselect6 | |
| - ppoll | |
| - unshare | |
| - set_robust_list | |
| - get_robust_list | |
| - splice | |
| - tee | |
| - sync_file_range | |
| - vmsplice | |
| - move_pages | |
| - utimensat | |
| - epoll_pwait | |
| - signalfd | |
| - timerfd_create | |
| - eventfd | |
| - fallocate | |
| - timerfd_settime | |
| - timerfd_gettime | |
| - accept4 | |
| - signalfd4 | |
| - eventfd2 | |
| - epoll_create1 | |
| - dup3 | |
| - pipe2 | |
| - inotify_init1 | |
| - preadv | |
| - pwritev | |
| - rt_tgsigqueueinfo | |
| - perf_event_open | |
| - recvmmsg | |
| - fanotify_init | |
| - fanotify_mark | |
| - prlimit64 | |
| - name_to_handle_at | |
| - open_by_handle_at | |
| - clock_adjtime | |
| - syncfs | |
| - sendmmsg | |
| - setns | |
| - getcpu | |
| - process_vm_readv | |
| - process_vm_writev | |
| - kcmp | |
| - finit_module | |
| - sched_setattr | |
| - sched_getattr | |
| - renameat2 | |
| - seccomp | |
| - getrandom | |
| - memfd_create | |
| - kexec_file_load | |
| - bpf | |
| - execveat | |
| - userfaultfd | |
| - membarrier | |
| - mlock2 | |
| - copy_file_range | |
| - preadv2 | |
| - pwritev2 | |
| - pkey_mprotect | |
| - pkey_alloc | |
| - pkey_free | |
| - statx | |
| - io_pgetevents | |
| - rseq | |
| type: string | |
| type: array | |
| type: object | |
| type: array | |
| message: | |
| type: string | |
| severity: | |
| maximum: 10 | |
| minimum: 1 | |
| type: integer | |
| tags: | |
| items: | |
| type: string | |
| type: array | |
| type: object | |
| tags: | |
| items: | |
| type: string | |
| type: array | |
| required: | |
| - nodeSelector | |
| type: object | |
| status: | |
| description: KubeArmorHostPolicyStatus defines the observed state of KubeArmorHostPolicy | |
| properties: | |
| status: | |
| type: string | |
| type: object | |
| type: object | |
| served: true | |
| storage: true | |
| subresources: | |
| status: {} | |
| --- | |
| apiVersion: v1 | |
| kind: ServiceAccount | |
| metadata: | |
| name: kubearmor | |
| namespace: kubearmor | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| kind: ClusterRole | |
| metadata: | |
| name: kubearmor-clusterrole | |
| rules: | |
| - apiGroups: | |
| - "" | |
| resources: | |
| - pods | |
| - nodes | |
| - namespaces | |
| - configmaps | |
| verbs: | |
| - get | |
| - patch | |
| - list | |
| - watch | |
| - update | |
| - apiGroups: | |
| - apps | |
| resources: | |
| - deployments | |
| - replicasets | |
| - daemonsets | |
| - statefulsets | |
| verbs: | |
| - get | |
| - patch | |
| - list | |
| - watch | |
| - update | |
| - apiGroups: | |
| - security.kubearmor.com | |
| resources: | |
| - kubearmorpolicies | |
| - kubearmorhostpolicies | |
| verbs: | |
| - get | |
| - list | |
| - watch | |
| - update | |
| - delete | |
| - nonResourceURLs: | |
| - /apis | |
| - /apis/* | |
| verbs: | |
| - get | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| kind: ClusterRoleBinding | |
| metadata: | |
| name: kubearmor-clusterrolebinding | |
| roleRef: | |
| apiGroup: rbac.authorization.k8s.io | |
| kind: ClusterRole | |
| name: kubearmor-clusterrole | |
| subjects: | |
| - kind: ServiceAccount | |
| name: kubearmor | |
| namespace: kubearmor | |
| --- | |
| apiVersion: v1 | |
| kind: Service | |
| metadata: | |
| labels: | |
| kubearmor-app: kubearmor-relay | |
| name: kubearmor | |
| namespace: kubearmor | |
| spec: | |
| ports: | |
| - port: 32767 | |
| protocol: TCP | |
| targetPort: 32767 | |
| selector: | |
| kubearmor-app: kubearmor-relay | |
| --- | |
| apiVersion: apps/v1 | |
| kind: Deployment | |
| metadata: | |
| labels: | |
| kubearmor-app: kubearmor-relay | |
| name: kubearmor-relay | |
| namespace: kubearmor | |
| spec: | |
| replicas: 1 | |
| selector: | |
| matchLabels: | |
| kubearmor-app: kubearmor-relay | |
| template: | |
| metadata: | |
| annotations: | |
| kubearmor-policy: audited | |
| labels: | |
| kubearmor-app: kubearmor-relay | |
| spec: | |
| containers: | |
| - env: | |
| - name: ENABLE_STDOUT_LOGS | |
| value: "false" | |
| - name: ENABLE_STDOUT_ALERTS | |
| value: "false" | |
| - name: ENABLE_STDOUT_MSGS | |
| value: "false" | |
| image: kubearmor/kubearmor-relay-server:latest | |
| name: kubearmor-relay-server | |
| ports: | |
| - containerPort: 32767 | |
| nodeSelector: | |
| kubernetes.io/os: linux | |
| serviceAccountName: kubearmor | |
| --- | |
| apiVersion: apps/v1 | |
| kind: DaemonSet | |
| metadata: | |
| labels: | |
| kubearmor-app: kubearmor | |
| name: kubearmor | |
| namespace: kubearmor | |
| spec: | |
| selector: | |
| matchLabels: | |
| kubearmor-app: kubearmor | |
| template: | |
| metadata: | |
| annotations: | |
| container.apparmor.security.beta.kubernetes.io/kubearmor: unconfined | |
| labels: | |
| kubearmor-app: kubearmor | |
| spec: | |
| containers: | |
| - args: | |
| - -gRPC=32767 | |
| env: | |
| - name: KUBEARMOR_NODENAME | |
| valueFrom: | |
| fieldRef: | |
| fieldPath: spec.nodeName | |
| - name: KUBEARMOR_NAMESPACE | |
| valueFrom: | |
| fieldRef: | |
| fieldPath: metadata.namespace | |
| image: kubearmor/kubearmor:stable | |
| imagePullPolicy: Always | |
| livenessProbe: | |
| exec: | |
| command: | |
| - /bin/bash | |
| - -c | |
| - if [ -z $(pgrep kubearmor) ]; then exit 1; fi; | |
| initialDelaySeconds: 60 | |
| periodSeconds: 10 | |
| name: kubearmor | |
| ports: | |
| - containerPort: 32767 | |
| securityContext: | |
| capabilities: | |
| add: | |
| - SETUID | |
| - SETGID | |
| - SETPCAP | |
| - SYS_ADMIN | |
| - SYS_PTRACE | |
| - MAC_ADMIN | |
| - SYS_RESOURCE | |
| - IPC_LOCK | |
| - CAP_DAC_OVERRIDE | |
| - CAP_DAC_READ_SEARCH | |
| drop: | |
| - ALL | |
| privileged: false | |
| seccompProfile: | |
| localhostProfile: profiles/kube.json | |
| type: Localhost | |
| terminationMessagePath: /dev/termination-log | |
| terminationMessagePolicy: File | |
| volumeMounts: | |
| - mountPath: /opt/kubearmor/BPF | |
| name: bpf | |
| - mountPath: /lib/modules | |
| name: lib-modules-path | |
| readOnly: true | |
| - mountPath: /sys/fs/bpf | |
| name: sys-fs-bpf-path | |
| - mountPath: /sys/kernel/security | |
| name: sys-kernel-security-path | |
| - mountPath: /sys/kernel/debug | |
| name: sys-kernel-debug-path | |
| - mountPath: /media/root/etc/os-release | |
| name: os-release-path | |
| readOnly: true | |
| - mountPath: /usr/src | |
| name: usr-src-path | |
| readOnly: true | |
| - mountPath: /etc/apparmor.d | |
| name: etc-apparmor-d-path | |
| - mountPath: /var/run/containerd/containerd.sock | |
| name: containerd-sock-path | |
| readOnly: true | |
| dnsPolicy: ClusterFirstWithHostNet | |
| hostNetwork: true | |
| hostPID: true | |
| initContainers: | |
| - image: kubearmor/kubearmor-init:stable | |
| imagePullPolicy: Always | |
| name: init | |
| securityContext: | |
| capabilities: | |
| add: | |
| - SETUID | |
| - SETGID | |
| - SETPCAP | |
| - SYS_ADMIN | |
| - SYS_PTRACE | |
| - MAC_ADMIN | |
| - SYS_RESOURCE | |
| - IPC_LOCK | |
| - CAP_DAC_OVERRIDE | |
| - CAP_DAC_READ_SEARCH | |
| drop: | |
| - ALL | |
| privileged: false | |
| volumeMounts: | |
| - mountPath: /opt/kubearmor/BPF | |
| name: bpf | |
| - mountPath: /lib/modules | |
| name: lib-modules-path | |
| readOnly: true | |
| - mountPath: /sys/fs/bpf | |
| name: sys-fs-bpf-path | |
| - mountPath: /sys/kernel/security | |
| name: sys-kernel-security-path | |
| - mountPath: /sys/kernel/debug | |
| name: sys-kernel-debug-path | |
| - mountPath: /media/root/etc/os-release | |
| name: os-release-path | |
| readOnly: true | |
| - mountPath: /usr/src | |
| name: usr-src-path | |
| readOnly: true | |
| nodeSelector: | |
| kubernetes.io/os: linux | |
| restartPolicy: Always | |
| serviceAccountName: kubearmor | |
| terminationGracePeriodSeconds: 60 | |
| tolerations: | |
| - operator: Exists | |
| volumes: | |
| - emptyDir: {} | |
| name: bpf | |
| - hostPath: | |
| path: /lib/modules | |
| type: DirectoryOrCreate | |
| name: lib-modules-path | |
| - hostPath: | |
| path: /sys/fs/bpf | |
| type: Directory | |
| name: sys-fs-bpf-path | |
| - hostPath: | |
| path: /sys/kernel/security | |
| type: Directory | |
| name: sys-kernel-security-path | |
| - hostPath: | |
| path: /sys/kernel/debug | |
| type: Directory | |
| name: sys-kernel-debug-path | |
| - hostPath: | |
| path: /etc/os-release | |
| type: File | |
| name: os-release-path | |
| - hostPath: | |
| path: /usr/src | |
| type: Directory | |
| name: usr-src-path | |
| - hostPath: | |
| path: /etc/apparmor.d | |
| type: DirectoryOrCreate | |
| name: etc-apparmor-d-path | |
| - hostPath: | |
| path: /var/run/containerd/containerd.sock | |
| type: Socket | |
| name: containerd-sock-path | |
| --- | |
| apiVersion: v1 | |
| kind: Secret | |
| metadata: | |
| labels: | |
| kubearmor-app: kubearmor-controller | |
| name: kubearmor-controller-webhook-server-cert | |
| namespace: kubearmor | |
| stringData: | |
| ca.crt: | | |
| -----BEGIN CERTIFICATE----- | |
| MIIFYjCCA0qgAwIBAgIBezANBgkqhkiG9w0BAQsFADBDMQswCQYDVQQGEwJVUzEJ | |
| MAcGA1UECBMAMRIwEAYDVQQKEwlrdWJlYXJtb3IxFTATBgNVBAMTDGt1YmVhcm1v | |
| ci1jYTAeFw0yNDAyMTUyMjM0NTNaFw0yNzAyMTUyMjM0NTNaMEMxCzAJBgNVBAYT | |
| AlVTMQkwBwYDVQQIEwAxEjAQBgNVBAoTCWt1YmVhcm1vcjEVMBMGA1UEAxMMa3Vi | |
| ZWFybW9yLWNhMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAw2OJDiyh | |
| B61Y+oZ2biiIb67TLNg9A9ETwu+3cO6d1sl5kuxpp3woU7gQccBIoxXWC2XS1o2W | |
| YZz3TQP1dob/3GiBG1rbB97+ewCjzOvw+fbhnsn8KqIVckMj04M9JocyBvg5sljD | |
| 8O/MbwFx/q2SPHwvfBGokqgqm+yL+BztQo1lquwDSI5WDafaLaTMikYGmWg/iCBM | |
| R+kx//XbqN42iHz1XUzB1O931bOYrUb6qS4ScZSaKKCp/4o9usB3jowxKc6YMytz | |
| vXaAkKcX4wUJxcr/or1eV5m51pao+7PCn2CdHqGYxCLByXhHQe7gpF572zBRuczy | |
| DZYpfz6RFXFVpRHqXHjmMkKDze6v0/TKaS+taWjiC/znpbxQkNtMjabIOH77E3b0 | |
| 0zBB/CM6ciVjKtQWSE1OAcbfzWhVZA8UnY5YBpHdYfkUwZkg1URx4B30R3PEZbyP | |
| wQpKc0Hmzk0vxOmvvMgxCl18kpCj+FL+DqAiWjFvNNY7py38vhuORcnTncrEHgTK | |
| LMlh8QjatZbZwJSUsYCPfdziiZbuObYjtLKJT5VV1sl8/d6PUqQfZOIOgNWP8Dw7 | |
| zVIZJP+kYzhcce8g88E33nHRAmY5Ihn+V9EVNVgqB8mQt97R2mSSSlx6C/giixtG | |
| VBxH/LNex0TWwTbq/4WxKvwKkdOHWbN78U8CAwEAAaNhMF8wDgYDVR0PAQH/BAQD | |
| AgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAPBgNVHRMBAf8EBTAD | |
| AQH/MB0GA1UdDgQWBBTkI3zpNZdCsd+l0vV5490ffV86jDANBgkqhkiG9w0BAQsF | |
| AAOCAgEAwI/FCBsRdrc3PTlnGqbg8knCELJSs9EdAmXFqijmi7b1Oavkfa/jFnSv | |
| UDoU8EYoEKAB/Vk761I054nNCo6rApwbX4IKfux1F5Ga3l9gTPpFC++K7FI9SXcS | |
| vqvl+OhdzC1vr4hUNQqyiOrroxNwa3Ru/+F8fAdAIWU3uHwfxY21T46akbfSZpJX | |
| kZSSMoGcobB04CnqFClWPOAvbf0uOdrlT30QbYwv9GdewlV1FDWimTRoHuy7uZGY | |
| LRMJYetQzmroJTS22wWa3uLdWdLmbmGzdVpX6a7FA7bIKrbjIrQzD4gBRKnKjpaU | |
| XUXSaIgCT2ohs28SsTCQu5nxVUUD1SeA3XJc/gx+/2q+m/DvTEQsqcj4dsqKMOTC | |
| 3Mp4EjcAP2v6z4TS+LSE0xMw7Z5prSh+9q6Mu6cN2vMYKaC0/RXCdQwl+BSboX7Q | |
| +h0g8bvWhBSR2mIZK7135HbNH8HnQjjbc6zNsHWC6TMXrq2d3sWCingXrHFAtFpV | |
| ip503NeDhpj+A98V+XTbMx/mdWnRGy8+X9XXTQFw6MHfPzYd6KpReQHCyIMnfaN/ | |
| mbcFrZhpmSKIpV0rbP+bnmKjlwRaSDj42lcRh5Eh4m0XqQA5jf5S57w+XcxV9sjS | |
| 8bSUyCxdO0hvpxwkn67ceLiNjn8PaKAhdBXnn6jAQOgeCVw6uM8= | |
| -----END CERTIFICATE----- | |
| tls.crt: | | |
| -----BEGIN CERTIFICATE----- | |
| MIIF2TCCA8GgAwIBAgICBNIwDQYJKoZIhvcNAQELBQAwQzELMAkGA1UEBhMCVVMx | |
| CTAHBgNVBAgTADESMBAGA1UEChMJa3ViZWFybW9yMRUwEwYDVQQDEwxrdWJlYXJt | |
| b3ItY2EwHhcNMjQwMjE1MjIzNDU1WhcNMjcwMjE1MjIzNDU1WjBIMQswCQYDVQQG | |
| EwJVUzEJMAcGA1UECBMAMRIwEAYDVQQKEwlrdWJlYXJtb3IxGjAYBgNVBAMTEWt1 | |
| YmVhcm1vci13ZWJob29rMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA | |
| tsKMLKGmIqsqLONLbjr9aiNRT6+GE44NAQR/tafdCngINTmJwRKWb6LWzZvijHQu | |
| gJ1qC/Y6NrfuTWeIv9jlQdou5mo/zxLE3e/bEC+sl79iNCkJ/i+TfwJVxBMBJiAm | |
| dw47EPJpYiavjKSOAonasBVCMDMMFfYUCyd8DsZwbFoX66j9V/OGJaCRXUyJ/Doq | |
| F3FpqoydyHHnKdMMlDC1E2pTDevLhWmR9ZOMQN1yL5mtun5A0VDCaDQ5M/AQS9ad | |
| gucYIjC1OE5acJjMUPpQL9LzM/E/JNy8Fe6RjygDHhWm49lGpVSx+LZmmF5gItTp | |
| jhfVwE/6/HVLhuCzLjpIyNSMndsBwX4rUCM8paYuums9vJusGQQkM27I66zD4B0F | |
| HTMJmNPgd0hQ/r8Zm1qEeHyzGRqb82L20/cZFzkLDe3VPZquMuhqxAA+Ol0NQHvX | |
| EEAon9zkEfje906vdzrXty/Bj5ezPDadaY+ybuIRjQJhSeveKb4pj7+3Ujh8Miv4 | |
| L59fiI0tTgCPwXyrxDnKQ9vSNbfUAmi2a3r4DnTx5yw53+z0mrqHrvsh7I/xmlzh | |
| OpifY8oYtiTN5+vDHg15Zw0dcRnyn63kznDZn7r54g7Nojfe0fjuFd3CtaTgtWnr | |
| NvdS6dtQaXooLowN9EwRGmEsMpmPe5e7WDzC2J+JCKsCAwEAAaOB0TCBzjAOBgNV | |
| HQ8BAf8EBAMCB4AwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMAwGA1Ud | |
| EwEB/wQCMAAwDgYDVR0OBAcEBQECAwQFMH8GA1UdEQR4MHaCMmt1YmVhcm1vci1j | |
| b250cm9sbGVyLXdlYmhvb2stc2VydmljZS5rdWJlYXJtb3Iuc3ZjgkBrdWJlYXJt | |
| b3ItY29udHJvbGxlci13ZWJob29rLXNlcnZpY2Uua3ViZWFybW9yLnN2Yy5jbHVz | |
| dGVyLmxvY2FsMA0GCSqGSIb3DQEBCwUAA4ICAQAYSbj5fOUQF1J+b/J/5WNt2WFF | |
| 18POF7DMyvy43vQrU+/ySKtYWs/tIK3J0xdHTDnTn4LVVu+/V8CMpZlHQhChYcoE | |
| L1BXNcqgDNwXSP3PpIbbi04g3/VkFgifWQMrA9mT6gNRBG8a/SqnwmHlCmyCipja | |
| VFfd9EIayIbU7IzZMoRidQZj4dZGXIOFiAkjDwWNS7DY01QOr1U7BMD4dq5/6a2m | |
| q8CYe25Wdj4F8yXHzVKW5D55fsU4L+xozZBhK2dOzYX/0huCktVK6cq9avjL1GCK | |
| 48AfwqMwYQ57by3/nogqCuRs4Nb1RZM0m+LsiCASvBrAbO+pnI62Sjgq9M+ztvWj | |
| 2Ov7jKjL/vkERfDPDWuG+qGWQa6nY4h7oXVWM9bI4/tt3Ns4KghtolQNVAamnK1W | |
| +ItJIp9Ou7+tiC5shQqt/uXLvKgXoCbZrdteBWq0vE7TY+6r1sFfcBVzwf/Ng56t | |
| GCt8C9Deh78ogygMkTip1sZKgUC3NIpfT1yGrOVFEJbhIK+2SEjZW03TsE8QEpV/ | |
| 2vL33JXnsCq7PXuZ/kya5wNKZcmK/XGZkCV57cjJvkFgJxa/kdCScWX7aY/e8c8i | |
| /LQ7zeQ1PLXw3aTQexDSW+Zog5BnlTw19SkDb7AFvxBPb8f6B7DIFOuCLfXTGqzB | |
| zIZBkk480Be+kwnBsA== | |
| -----END CERTIFICATE----- | |
| tls.key: | | |
| -----BEGIN RSA PRIVATE KEY----- | |
| MIIJKAIBAAKCAgEAtsKMLKGmIqsqLONLbjr9aiNRT6+GE44NAQR/tafdCngINTmJ | |
| wRKWb6LWzZvijHQugJ1qC/Y6NrfuTWeIv9jlQdou5mo/zxLE3e/bEC+sl79iNCkJ | |
| /i+TfwJVxBMBJiAmdw47EPJpYiavjKSOAonasBVCMDMMFfYUCyd8DsZwbFoX66j9 | |
| V/OGJaCRXUyJ/DoqF3FpqoydyHHnKdMMlDC1E2pTDevLhWmR9ZOMQN1yL5mtun5A | |
| 0VDCaDQ5M/AQS9adgucYIjC1OE5acJjMUPpQL9LzM/E/JNy8Fe6RjygDHhWm49lG | |
| pVSx+LZmmF5gItTpjhfVwE/6/HVLhuCzLjpIyNSMndsBwX4rUCM8paYuums9vJus | |
| GQQkM27I66zD4B0FHTMJmNPgd0hQ/r8Zm1qEeHyzGRqb82L20/cZFzkLDe3VPZqu | |
| MuhqxAA+Ol0NQHvXEEAon9zkEfje906vdzrXty/Bj5ezPDadaY+ybuIRjQJhSeve | |
| Kb4pj7+3Ujh8Miv4L59fiI0tTgCPwXyrxDnKQ9vSNbfUAmi2a3r4DnTx5yw53+z0 | |
| mrqHrvsh7I/xmlzhOpifY8oYtiTN5+vDHg15Zw0dcRnyn63kznDZn7r54g7Nojfe | |
| 0fjuFd3CtaTgtWnrNvdS6dtQaXooLowN9EwRGmEsMpmPe5e7WDzC2J+JCKsCAwEA | |
| AQKCAgANWLPH5p4tVfakhIzTpfcvsxiTCyxtbShB9MQmzfV0eEORL3yB3wuhZ3Ds | |
| Xv/yZeGnftdpvDeQG2qJuI/iAsLrRjW6mfPC+Ynq80M6MWEXS+CuEnkqWOsakV8W | |
| DJU+5YYpl550pF9RzaVwTewY/1w7E7Jbtr6hM/FOxzlmEtPO9d1dVl/59kzLnqg+ | |
| +gHxq4W7ZIrk65PyOW86PLFkeRIgMtmR4LBiM81286mAayuVklF/lwzAvHcWCQpM | |
| YrGt+CRUlO/MP2ZckExGgMIa/8yvUWZ1Wp7T4FLT/zIeFDv2DHq9lPZ1yHOeyCNB | |
| 6VJ3+Lh9qfvwKWcY3LABT5OGQrdh44d9fJeGfk8fmfDf2uUQS4yChJcV+p0os5o7 | |
| 9Ja87NwFBVpvQEqVNtBF0OWTLyhUOZ0Pl3Jq0IR92oR9VZWatE9T3wN/hCl2KlCg | |
| 9/ccNZDsu/m4P8XE2rlZpVITfDkngBEw2B4Gmy3ssUDM1K2DeWg8N5MjUOaGBo6z | |
| ELWqJSGYL9XP77l7xrKeah1QNcbCxx8F92HuTaUN4J3WIYFt5RtofolvAWVAvzw9 | |
| UJ6JGK1zFW/EsKIaDdGNtqvKWgDcBnU2oaN1h0CuSwNn9v+KK8pD8L+8ptHsPwfP | |
| OtxeJAKxy8KX2HiAfHJTikla/uRPZM3pFCWU0cq5yDMBWNy+kQKCAQEA6FAji22Z | |
| 2LGNvDdQ+k0FkD33V0UeVSJUlZxNKMtjxUzcv6Xhh7Ws77m+Q75CylKcUakTjGk1 | |
| s2GGS5h6r6qxoF72sfzUrLG4YEjCim89iMPiR3LEQrVj4GpJyIWmaFY84ePlvnpn | |
| z3OBWHjZ3yEQ68GfxHCgQ6sePjDI24d+suX/eTQbMzWNMnzDpVqWbX3ID8uKyHOf | |
| WiXjlcieiIGFrSPOK3dy2/mudRF9k8bO1vEpL9oDJjI7nt2BYO9KLX+H47cd0XRe | |
| B3VqPc1gRdCAoVR/xJslRR+8EIeEQzqXGbtTJNmQMWUxX2Y5Ez9zLkAPoLRA3kZB | |
| tix07ZSjQT44zQKCAQEAyWT35kHv61prXy+ZJm4bGCXZ9lQ6PrnNsOZ2/xDnIQDK | |
| KnWMkv70oophecjjRoMyZWF3PyP2wzKKzsl4zUH2kgidOPXpwG5bVf5+GknqvHSD | |
| nQFfbVt4eQvtCJXSMm5zSQPOXYISR3g46/Bnd2u3TilCZRUEm+E9/cvFn6vo63H4 | |
| cZbz9JVAooNCe2/dSrIVbLf67vQ/kAsMCBNeag40242V/AKVKD/LAhtQ4MnjNSPA | |
| YQXg/kFESg1PUN8c2Gw6/GcEEsj43dbB0nZRg/OB/CjO2HvDdYOEAdycHD3CuCAs | |
| pnwnHOb+7VrwaT8w+eirRGkUmoPn3KlVnrsERa6nVwKCAQEAunqxvZcx+qaz7lS8 | |
| 9N7ky19ibzQ1YANZwGqh6VAye0rynAhM3EHyWtBPsVNFi+D6R/afkYNWrvJm+cGh | |
| Iee0A9aW0lLwaNuT8/4T40neLC2JMu8mKaIvVRIcvhDCflhTMMReRCM/t1+xgVIp | |
| GZoSWhyn4ejCTO9MLIG+ibHe+z3yb9lqyBWBjPhnmBD6VVO1RzCM69EcJiHp6O8M | |
| iujlZBEsyulsUrW+24w5sGjS2ejltdqb0opaH3ERDL2oXpNTgnAYSGzPmc8fhBKa | |
| 6A+xYU9R7IDZTv5lWSNfARRD/EzJNfhKbcwb8Mc+o3u4OnUD1m068PGWh+Rxy9AX | |
| qCSJNQKCAQBBww6PyYgmOehFtK01t05xnCqIHQjH4rQfx6GjuElApZleM/QrK8WG | |
| LdmWgtpz8/NI14Kww3WYV7CrxW4E2D1DgjyUlPg3NdHtSqSywOA9mW5Anmois3Or | |
| UxGbdBCnFxneBbglIIwHemJb6KxgenPoueBMUYinve0YKqnlcaUk/Jo7vSb7/qCU | |
| cHgNBoIkGfKVBZ6S2H7I8lKDcI+r4eewqZMIL2+1LN+FWJYYUNQ4TexLwjetznIW | |
| HDKCHdi1cuHv+VODLszU44N2zdvgUmtng4vHdOJmRQOd+AOh1Sj4Jslts6yx61vi | |
| 9Yb7Vv8PG8KRHB72NYxIqaKjqj3C4z0RAoIBAD3UY9dkwjd9A6wuOubLb2h1OgGl | |
| 1uEjKkJrS+8W6lKGSZwN1n2VBj5dnudNQ0NqJIXWNhnrNoQAg4MJFzcihL+rK7r0 | |
| dSITiSCgJaqBh0Ab0NB+cEGYt1IkVPgfCCnvcdJi6+8DQ9+ETzgq+qFtx1ARubS1 | |
| xkRRwASpGpkMuX8Ef5fa7ahdRl5yKMWJNbJr//Leiu7+pkTw9RZuUjyaIZ9EnHh1 | |
| 4/KZzfMfFPeAtAULXtSv0EDXqGqzEbXufCiy6N6kDtMWJcecdYSuTMBFM6QCPZbK | |
| F3DAybQDXuT9QIdzEni4jC2xKRUl+0Ok9twUPYEOtkFdFA2gCJLupl/j2Po= | |
| -----END RSA PRIVATE KEY----- | |
| type: kubernetes.io/tls | |
| --- | |
| apiVersion: v1 | |
| kind: ServiceAccount | |
| metadata: | |
| name: kubearmor-controller | |
| namespace: kubearmor | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| kind: ClusterRole | |
| metadata: | |
| name: kubearmor-controller-clusterrole | |
| rules: | |
| - apiGroups: | |
| - "" | |
| resources: | |
| - pods | |
| verbs: | |
| - create | |
| - delete | |
| - get | |
| - patch | |
| - list | |
| - watch | |
| - update | |
| - apiGroups: | |
| - security.kubearmor.com | |
| resources: | |
| - kubearmorpolicies | |
| - kubearmorhostpolicies | |
| verbs: | |
| - create | |
| - delete | |
| - get | |
| - patch | |
| - list | |
| - watch | |
| - update | |
| - apiGroups: | |
| - security.kubearmor.com | |
| resources: | |
| - kubearmorpolicies/status | |
| - kubearmorhostpolicies/status | |
| verbs: | |
| - get | |
| - patch | |
| - update | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| kind: ClusterRoleBinding | |
| metadata: | |
| name: kubearmor-controller-clusterrolebinding | |
| roleRef: | |
| apiGroup: rbac.authorization.k8s.io | |
| kind: ClusterRole | |
| name: kubearmor-controller-clusterrole | |
| subjects: | |
| - kind: ServiceAccount | |
| name: kubearmor-controller | |
| namespace: kubearmor | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| kind: Role | |
| metadata: | |
| name: kubearmor-controller-leader-election-role | |
| namespace: kubearmor | |
| rules: | |
| - apiGroups: | |
| - "" | |
| resources: | |
| - configmaps | |
| verbs: | |
| - create | |
| - delete | |
| - get | |
| - patch | |
| - list | |
| - watch | |
| - update | |
| - apiGroups: | |
| - coordination.k8s.io | |
| resources: | |
| - leases | |
| verbs: | |
| - create | |
| - delete | |
| - get | |
| - patch | |
| - list | |
| - watch | |
| - update | |
| - apiGroups: | |
| - "" | |
| resources: | |
| - events | |
| verbs: | |
| - create | |
| - patch | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| kind: RoleBinding | |
| metadata: | |
| name: kubearmor-controller-leader-election-rolebinding | |
| namespace: kubearmor | |
| roleRef: | |
| apiGroup: rbac.authorization.k8s.io | |
| kind: Role | |
| name: kubearmor-controller-leader-election-role | |
| subjects: | |
| - kind: ServiceAccount | |
| name: kubearmor-controller | |
| namespace: kubearmor | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| kind: ClusterRole | |
| metadata: | |
| name: kubearmor-controller-proxy-role | |
| rules: | |
| - apiGroups: | |
| - authentication.k8s.io | |
| resources: | |
| - tokenreviews | |
| verbs: | |
| - create | |
| - apiGroups: | |
| - authorization.k8s.io | |
| resources: | |
| - subjectaccessreviews | |
| verbs: | |
| - create | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| kind: ClusterRoleBinding | |
| metadata: | |
| name: kubearmor-controller-proxy-rolebinding | |
| roleRef: | |
| apiGroup: rbac.authorization.k8s.io | |
| kind: ClusterRole | |
| name: kubearmor-controller-proxy-role | |
| subjects: | |
| - kind: ServiceAccount | |
| name: kubearmor-controller | |
| namespace: kubearmor | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| kind: ClusterRole | |
| metadata: | |
| name: kubearmor-controller-metrics-reader-role | |
| rules: | |
| - nonResourceURLs: | |
| - /metrics | |
| verbs: | |
| - get | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| kind: ClusterRoleBinding | |
| metadata: | |
| name: kubearmor-controller-metrics-reader-rolebinding | |
| roleRef: | |
| apiGroup: rbac.authorization.k8s.io | |
| kind: ClusterRole | |
| name: kubearmor-controller-metrics-reader-role | |
| subjects: | |
| - kind: ServiceAccount | |
| name: kubearmor-controller | |
| namespace: kubearmor | |
| --- | |
| apiVersion: apps/v1 | |
| kind: Deployment | |
| metadata: | |
| labels: | |
| kubearmor-app: kubearmor-controller | |
| name: kubearmor-controller | |
| namespace: kubearmor | |
| spec: | |
| replicas: 1 | |
| selector: | |
| matchLabels: | |
| kubearmor-app: kubearmor-controller | |
| template: | |
| metadata: | |
| annotations: | |
| container.apparmor.security.beta.kubernetes.io/kube-rbac-proxy: unconfined | |
| container.apparmor.security.beta.kubernetes.io/manager: unconfined | |
| kubearmor-policy: audited | |
| labels: | |
| kubearmor-app: kubearmor-controller | |
| spec: | |
| containers: | |
| - args: | |
| - --secure-listen-address=0.0.0.0:8443 | |
| - --upstream=http://127.0.0.1:8080/ | |
| - --logtostderr=true | |
| - --v=10 | |
| image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 | |
| name: kube-rbac-proxy | |
| ports: | |
| - containerPort: 8443 | |
| name: https | |
| resources: | |
| limits: | |
| cpu: 100m | |
| memory: 40Mi | |
| requests: | |
| cpu: 100m | |
| memory: 20Mi | |
| - args: | |
| - --metrics-bind-address=127.0.0.1:8080 | |
| - --leader-elect | |
| - --health-probe-bind-address=:8081 | |
| command: | |
| - /manager | |
| image: kubearmor/kubearmor-controller:latest | |
| livenessProbe: | |
| httpGet: | |
| path: /healthz | |
| port: 8081 | |
| initialDelaySeconds: 15 | |
| periodSeconds: 20 | |
| name: manager | |
| ports: | |
| - containerPort: 9443 | |
| name: webhook-server | |
| protocol: TCP | |
| readinessProbe: | |
| httpGet: | |
| path: /readyz | |
| port: 8081 | |
| initialDelaySeconds: 5 | |
| periodSeconds: 10 | |
| resources: | |
| requests: | |
| cpu: 10m | |
| memory: 64Mi | |
| securityContext: | |
| allowPrivilegeEscalation: false | |
| volumeMounts: | |
| - mountPath: /tmp/k8s-webhook-server/serving-certs | |
| name: cert | |
| readOnly: true | |
| - mountPath: /sys/kernel/security | |
| name: sys-path | |
| readOnly: true | |
| priorityClassName: system-node-critical | |
| serviceAccountName: kubearmor-controller | |
| terminationGracePeriodSeconds: 10 | |
| volumes: | |
| - name: cert | |
| secret: | |
| defaultMode: 420 | |
| secretName: kubearmor-controller-webhook-server-cert | |
| - hostPath: | |
| path: /sys/kernel/security | |
| type: Directory | |
| name: sys-path | |
| --- | |
| apiVersion: v1 | |
| kind: Service | |
| metadata: | |
| labels: | |
| kubearmor-app: kubearmor-controller | |
| name: kubearmor-controller-metrics-service | |
| namespace: kubearmor | |
| spec: | |
| ports: | |
| - name: https | |
| port: 8443 | |
| protocol: TCP | |
| targetPort: https | |
| selector: | |
| kubearmor-app: kubearmor-controller | |
| --- | |
| apiVersion: v1 | |
| kind: Service | |
| metadata: | |
| name: kubearmor-controller-webhook-service | |
| namespace: kubearmor | |
| spec: | |
| ports: | |
| - port: 443 | |
| protocol: TCP | |
| targetPort: 9443 | |
| selector: | |
| kubearmor-app: kubearmor-controller | |
| --- | |
| apiVersion: admissionregistration.k8s.io/v1 | |
| kind: MutatingWebhookConfiguration | |
| metadata: | |
| name: kubearmor-controller-mutating-webhook-configuration | |
| namespace: kubearmor | |
| webhooks: | |
| - admissionReviewVersions: | |
| - v1 | |
| clientConfig: | |
| caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZZakNDQTBxZ0F3SUJBZ0lCZXpBTkJna3Foa2lHOXcwQkFRc0ZBREJETVFzd0NRWURWUVFHRXdKVlV6RUoKTUFjR0ExVUVDQk1BTVJJd0VBWURWUVFLRXdscmRXSmxZWEp0YjNJeEZUQVRCZ05WQkFNVERHdDFZbVZoY20xdgpjaTFqWVRBZUZ3MHlOREF5TVRVeU1qTTBOVE5hRncweU56QXlNVFV5TWpNME5UTmFNRU14Q3pBSkJnTlZCQVlUCkFsVlRNUWt3QndZRFZRUUlFd0F4RWpBUUJnTlZCQW9UQ1d0MVltVmhjbTF2Y2pFVk1CTUdBMVVFQXhNTWEzVmkKWldGeWJXOXlMV05oTUlJQ0lqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FnOEFNSUlDQ2dLQ0FnRUF3Mk9KRGl5aApCNjFZK29aMmJpaUliNjdUTE5nOUE5RVR3dSszY082ZDFzbDVrdXhwcDN3b1U3Z1FjY0JJb3hYV0MyWFMxbzJXCllaejNUUVAxZG9iLzNHaUJHMXJiQjk3K2V3Q2p6T3Z3K2ZiaG5zbjhLcUlWY2tNajA0TTlKb2N5QnZnNXNsakQKOE8vTWJ3RngvcTJTUEh3dmZCR29rcWdxbSt5TCtCenRRbzFscXV3RFNJNVdEYWZhTGFUTWlrWUdtV2cvaUNCTQpSK2t4Ly9YYnFONDJpSHoxWFV6QjFPOTMxYk9ZclViNnFTNFNjWlNhS0tDcC80bzl1c0Izam93eEtjNllNeXR6CnZYYUFrS2NYNHdVSnhjci9vcjFlVjVtNTFwYW8rN1BDbjJDZEhxR1l4Q0xCeVhoSFFlN2dwRjU3MnpCUnVjenkKRFpZcGZ6NlJGWEZWcFJIcVhIam1Na0tEemU2djAvVEthUyt0YVdqaUMvem5wYnhRa050TWphYklPSDc3RTNiMAowekJCL0NNNmNpVmpLdFFXU0UxT0FjYmZ6V2hWWkE4VW5ZNVlCcEhkWWZrVXdaa2cxVVJ4NEIzMFIzUEVaYnlQCndRcEtjMEhtemswdnhPbXZ2TWd4Q2wxOGtwQ2orRkwrRHFBaVdqRnZOTlk3cHkzOHZodU9SY25UbmNyRUhnVEsKTE1saDhRamF0WmJad0pTVXNZQ1BmZHppaVpidU9iWWp0TEtKVDVWVjFzbDgvZDZQVXFRZlpPSU9nTldQOER3Nwp6VklaSlAra1l6aGNjZThnODhFMzNuSFJBbVk1SWhuK1Y5RVZOVmdxQjhtUXQ5N1IybVNTU2x4NkMvZ2lpeHRHClZCeEgvTE5leDBUV3dUYnEvNFd4S3Z3S2tkT0hXYk43OFU4Q0F3RUFBYU5oTUY4d0RnWURWUjBQQVFIL0JBUUQKQWdHR01CMEdBMVVkSlFRV01CUUdDQ3NHQVFVRkJ3TUNCZ2dyQmdFRkJRY0RBVEFQQmdOVkhSTUJBZjhFQlRBRApBUUgvTUIwR0ExVWREZ1FXQkJUa0kzenBOWmRDc2QrbDB2VjU0OTBmZlY4NmpEQU5CZ2txaGtpRzl3MEJBUXNGCkFBT0NBZ0VBd0kvRkNCc1JkcmMzUFRsbkdxYmc4a25DRUxKU3M5RWRBbVhGcWlqbWk3YjFPYXZrZmEvakZuU3YKVURvVThFWW9FS0FCL1ZrNzYxSTA1NG5OQ282ckFwd2JYNElLZnV4MUY1R2EzbDlnVFBwRkMrK0s3Rkk5U1hjUwp2cXZsK09oZHpDMXZyNGhVTlFxeWlPcnJveE53YTNSdS8rRjhmQWRBSVdVM3VId2Z4WTIxVDQ2YWtiZlNacEpYCmtaU1NNb0djb2JCMDRDbnFGQ2xXUE9BdmJmMHVPZHJsVDMwUWJZd3Y5R2Rld2xWMUZEV2ltVFJvSHV5N3VaR1kKTFJNSllldFF6bXJvSlRTMjJ3V2EzdUxkV2RMbWJtR3pkVnBYNmE3RkE3YklLcmJqSXJRekQ0Z0JSS25LanBhVQpYVVhTYUlnQ1Qyb2hzMjhTc1RDUXU1bnhWVVVEMVNlQTNYSmMvZ3grLzJxK20vRHZURVFzcWNqNGRzcUtNT1RDCjNNcDRFamNBUDJ2Nno0VFMrTFNFMHhNdzdaNXByU2grOXE2TXU2Y04ydk1ZS2FDMC9SWENkUXdsK0JTYm9YN1EKK2gwZzhidldoQlNSMm1JWks3MTM1SGJOSDhIblFqamJjNnpOc0hXQzZUTVhycTJkM3NXQ2luZ1hySEZBdEZwVgppcDUwM05lRGhwaitBOThWK1hUYk14L21kV25SR3k4K1g5WFhUUUZ3Nk1IZlB6WWQ2S3BSZVFIQ3lJTW5mYU4vCm1iY0ZyWmhwbVNLSXBWMHJiUCtibm1Lamx3UmFTRGo0MmxjUmg1RWg0bTBYcVFBNWpmNVM1N3crWGN4VjlzalMKOGJTVXlDeGRPMGh2cHh3a242N2NlTGlOam44UGFLQWhkQlhubjZqQVFPZ2VDVnc2dU04PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== | |
| service: | |
| name: kubearmor-controller-webhook-service | |
| namespace: kubearmor | |
| path: /mutate-pods | |
| failurePolicy: Ignore | |
| name: annotation.kubearmor.com | |
| objectSelector: | |
| matchExpressions: | |
| - key: kubearmor-app | |
| operator: DoesNotExist | |
| rules: | |
| - apiGroups: | |
| - "" | |
| apiVersions: | |
| - v1 | |
| operations: | |
| - CREATE | |
| - UPDATE | |
| resources: | |
| - pods | |
| sideEffects: NoneOnDryRun | |
| --- | |
| apiVersion: v1 | |
| data: | |
| cluster: default | |
| defaultCapabilitiesPosture: audit | |
| defaultFilePosture: audit | |
| defaultNetworkPosture: audit | |
| gRPC: "32767" | |
| visibility: process,network | |
| kind: ConfigMap | |
| metadata: | |
| labels: | |
| kubearmor-app: kubearmor-configmap | |
| name: kubearmor-config | |
| namespace: kubearmor |