KubeArmor icon indicating copy to clipboard operation
KubeArmor copied to clipboard
verified publisher icon kubearmor

chore: add docker-compose file for securing unorchestrated container and hosts

Open navin772 opened this issue 1 year ago • 5 comments

Purpose of PR?:

Fixes #1341

Does this PR introduce a breaking change?

If the changes in this PR are manually verified, list down the scenarios covered: Explicitly adding the capabilities via cap_add and removing the privileged: true field gives error.

Additional information for reviewer? : Mention if this PR is part of any design or a continuation of previous PRs

Suggest tag to be used for kubearmor/kubearmor image - latest or stable? Documentation added for docker compose usage.

Checklist:

  • [x] Bug fix. Fixes #1341
  • [x] This change requires a documentation update
  • [x] PR Title follows the convention of <type>(<scope>): <subject>

navin772 avatar Jun 26 '24 06:06 navin772

@navin772 did we test this out? Does everything work as expected? Can you try running your test suite against this?

daemon1024 avatar Jun 27 '24 16:06 daemon1024

@daemon1024 I will run the tests and share the results, also do we need a CI for docker mode?

navin772 avatar Jun 27 '24 16:06 navin772

@navin772 eventually yes, if you think it's easy to handle let's do it. But let's keep it in a separate PR.

The CI would need to run on BPFLSM runner since we don't have first class AppArmor support

daemon1024 avatar Jun 27 '24 16:06 daemon1024

@daemon1024 I tested this on the non-k8s HSP test suite and the tests pass except one (enforcement works but the policy name is not matching). I haven't included the Allow policies tests which require the host default posture to be Block due to system breaking concerns as discussed in slack.

Currently, just for testing I ran the docker compose file in CI (which pulls the stable images) but we should be building the docker images first and then testing them. Can you point me to how the kubearmor and kubearmor-init images are created so I can create a CI to test on them?

navin772 avatar Jun 29 '24 13:06 navin772

@navin772 eventually yes, if you think it's easy to handle let's do it. But let's keep it in a separate PR.

The CI would need to run on BPFLSM runner since we don't have first class AppArmor support

@daemon1024 @DelusionalOptimist this is the workflow that I ran to test in docker mode - workflow. I will add the bpflsm runner when I create the PR.

navin772 avatar Jul 01 '24 12:07 navin772