Skip to content

AppArmor design proposal #29168

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 25, 2016
Merged

AppArmor design proposal #29168

merged 1 commit into from
Jul 25, 2016

Conversation

@timstclair
Copy link

@timstclair timstclair commented Jul 19, 2016

For kubernetes/enhancements#24

/cc @kubernetes/sig-node @erictune @matchstick

@timstclair timstclair added area/security kind/documentation Categorizes issue or PR as related to documentation. labels Jul 19, 2016
@timstclair timstclair added this to the v1.4 milestone Jul 19, 2016
@timstclair timstclair mentioned this pull request Jul 19, 2016
Open
22 tasks
@k8s-github-robot k8s-github-robot added kind/design Categorizes issue or PR as related to design. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. release-note-label-needed labels Jul 19, 2016
@timstclair timstclair added release-note-none Denotes a PR that doesn't merit a release note. and removed release-note-label-needed kind/documentation Categorizes issue or PR as related to documentation. labels Jul 19, 2016
jessfraz
jessfraz reviewed Jul 19, 2016
View reviewed changes
docs/proposals/apparmor.md Outdated
Copy link
Contributor

@jessfraz jessfraz Jul 19, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is a good route, because doing the "install" of the profile is an ugly exec of apparmor_parser ;) best just to leave it to the admin so yay

Copy link
Author

@timstclair timstclair Jul 20, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ack. I'm guessing that building a solution for deploying profiles will be high priority though, even if it doesn't make the alpha feature list...

@Amey-D
Copy link
Contributor

Amey-D commented Jul 19, 2016

/cc @kubernetes/goog-image FYI

@Amey-D
Copy link
Contributor

Amey-D commented Jul 19, 2016

Do you have any guidelines for users on how to provision K8s nodes with AppArmor profiles(e.g., how to bring the profiles on to the nodes, and how to apply them before Kubelet can start their containers)?

@timstclair
Copy link
Author

timstclair commented Jul 20, 2016

Do you have any guidelines for users on how to provision K8s nodes with AppArmor profiles(e.g., how to bring the profiles on to the nodes, and how to apply them before Kubelet can start their containers)?

I was considering this problem to be out of the scope for alpha, but can reconsider if you think otherwise. Users may end up building the solution proposed in deploying profiles anyway, so it might be best to offer it as an "unofficial" (a.k.a. pre-alpha) option.

@timstclair
Copy link
Author

timstclair commented Jul 20, 2016

After several conversations in other channels, I decided that it would be helpful to provide a reference implementation for loading profiles onto nodes. I've added a section describing the approach, as well as a testing plan.

PTAL

@jessfraz
Copy link
Contributor

jessfraz commented Jul 25, 2016

LGTM, the new stuff with getting profiles on the nodes as well :)

@timstclair
Copy link
Author

timstclair commented Jul 25, 2016

Thanks! Adding LGTM label.

@timstclair timstclair added lgtm "Looks good to me", indicates that a PR is ready to be merged. and removed lgtm "Looks good to me", indicates that a PR is ready to be merged. labels Jul 25, 2016
@timstclair
Copy link
Author

timstclair commented Jul 25, 2016

Squashed & rebased.

@timstclair timstclair added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jul 25, 2016
@timstclair
Copy link
Author

timstclair commented Jul 25, 2016

Reran hack/update-munge-docs.sh. Reapplying LGTM.

@timstclair timstclair added lgtm "Looks good to me", indicates that a PR is ready to be merged. and removed lgtm "Looks good to me", indicates that a PR is ready to be merged. labels Jul 25, 2016
@timstclair
Copy link
Author

timstclair commented Jul 25, 2016

Apparantly the munger was using my alternate gopath as ustream. Fixed & reran.

@timstclair timstclair added lgtm "Looks good to me", indicates that a PR is ready to be merged. and removed lgtm "Looks good to me", indicates that a PR is ready to be merged. labels Jul 25, 2016
@k8s-bot
Copy link

k8s-bot commented Jul 25, 2016

GCE e2e build/test passed for commit 55c39b9.

@k8s-github-robot
Copy link

k8s-github-robot commented Jul 25, 2016

Automatic merge from submit-queue

@k8s-github-robot k8s-github-robot merged commit eb60b06 into kubernetes:master Jul 25, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@jessfraz jessfraz

Labels

area/security kind/design Categorizes issue or PR as related to design. lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note-none Denotes a PR that doesn't merit a release note. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

None yet

Milestone

v1.4

Development

Successfully merging this pull request may close these issues.

7 participants

@timstclair @Amey-D @jessfraz @k8s-bot @k8s-github-robot @googlebot @tallclair