--- apiVersion: v1 kind: ServiceAccount metadata: name: kubearmor namespace: kube-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: kubearmor namespace: kube-system roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - kind: ServiceAccount name: kubearmor namespace: kube-system --- apiVersion: v1 kind: Service metadata: name: kubearmor namespace: kube-system spec: ports: - port: 32767 protocol: TCP targetPort: 32767 selector: kubearmor-app: kubearmor-relay --- apiVersion: apps/v1 kind: Deployment metadata: labels: kubearmor-app: kubearmor-relay name: kubearmor-relay namespace: kube-system spec: replicas: 1 selector: matchLabels: kubearmor-app: kubearmor-relay template: metadata: annotations: kubearmor-policy: audited labels: kubearmor-app: kubearmor-relay spec: containers: - image: kubearmor/kubearmor-relay-server:latest name: kubearmor-relay-server ports: - containerPort: 32767 nodeSelector: kubernetes.io/os: linux serviceAccountName: kubearmor --- apiVersion: apps/v1 kind: DaemonSet metadata: labels: kubearmor-app: kubearmor name: kubearmor namespace: kube-system spec: selector: matchLabels: kubearmor-app: kubearmor template: metadata: annotations: container.apparmor.security.beta.kubernetes.io/kubearmor: unconfined labels: kubearmor-app: kubearmor spec: containers: - args: - -gRPC=32767 - -enableKubeArmorHostPolicy env: - name: KUBEARMOR_NODENAME valueFrom: fieldRef: fieldPath: spec.nodeName image: kubearmor/kubearmor:stable imagePullPolicy: Always livenessProbe: exec: command: - /bin/bash - -c - if [ -z $(pgrep kubearmor) ]; then exit 1; fi; initialDelaySeconds: 60 periodSeconds: 10 name: kubearmor ports: - containerPort: 32767 securityContext: privileged: false capabilities: drop: - ALL add: - SETUID - SETGID - SETPCAP - SYS_ADMIN - SYS_PTRACE - MAC_ADMIN - SYS_RESOURCE - IPC_LOCK - CAP_DAC_OVERRIDE - CAP_DAC_READ_SEARCH terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /opt/kubearmor/BPF name: bpf - mountPath: /lib/modules name: lib-modules-path readOnly: true - mountPath: /sys/fs/bpf name: sys-fs-bpf-path - mountPath: /sys/kernel/security name: sys-kernel-security-path - mountPath: /sys/kernel/debug name: sys-kernel-debug-path - mountPath: /media/root/etc/os-release name: os-release-path readOnly: true - mountPath: /media/root/usr name: usr-src-path readOnly: true - mountPath: /etc/apparmor.d name: etc-apparmor-d-path - mountPath: /var/run/containerd/containerd.sock name: containerd-sock-path readOnly: true - mountPath: /run/containerd name: containerd-storage-path readOnly: true - mountPath: /var/lib/docker name: docker-storage-path readOnly: true dnsPolicy: ClusterFirstWithHostNet hostNetwork: false hostPID: true initContainers: - image: kubearmor/kubearmor-init:latest name: init securityContext: privileged: true capabilities: drop: - ALL add: - SETUID - SETGID - SETPCAP - SYS_ADMIN - SYS_PTRACE - MAC_ADMIN - SYS_RESOURCE - IPC_LOCK - CAP_DAC_OVERRIDE - CAP_DAC_READ_SEARCH volumeMounts: - mountPath: /opt/kubearmor/BPF name: bpf - mountPath: /lib/modules name: lib-modules-path readOnly: true - mountPath: /sys/fs/bpf name: sys-fs-bpf-path - mountPath: /sys/kernel/security name: sys-kernel-security-path - mountPath: /sys/kernel/debug name: sys-kernel-debug-path - mountPath: /media/root/etc/os-release name: os-release-path readOnly: true - mountPath: /media/root/usr name: usr-src-path readOnly: true nodeSelector: kubernetes.io/os: linux restartPolicy: Always serviceAccountName: kubearmor terminationGracePeriodSeconds: 30 tolerations: - operator: Exists volumes: - emptyDir: {} name: bpf - hostPath: path: /lib/modules type: DirectoryOrCreate name: lib-modules-path - hostPath: path: /sys/fs/bpf type: Directory name: sys-fs-bpf-path - hostPath: path: /sys/kernel/security type: Directory name: sys-kernel-security-path - hostPath: path: /sys/kernel/debug type: Directory name: sys-kernel-debug-path - hostPath: path: /etc/os-release type: File name: os-release-path - hostPath: path: /usr type: Directory name: usr-src-path - hostPath: path: /etc/apparmor.d type: DirectoryOrCreate name: etc-apparmor-d-path - hostPath: path: /var/run/containerd/containerd.sock type: Socket name: containerd-sock-path - hostPath: path: /run/containerd type: DirectoryOrCreate name: containerd-storage-path - hostPath: path: /var/lib/docker type: DirectoryOrCreate name: docker-storage-path --- apiVersion: v1 kind: Service metadata: labels: kubearmor-app: kubearmor-policy-manager name: kubearmor-policy-manager-metrics-service namespace: kube-system spec: ports: - name: https port: 8443 targetPort: https selector: kubearmor-app: kubearmor-policy-manager --- apiVersion: apps/v1 kind: Deployment metadata: labels: kubearmor-app: kubearmor-policy-manager name: kubearmor-policy-manager namespace: kube-system spec: replicas: 1 selector: matchLabels: kubearmor-app: kubearmor-policy-manager template: metadata: annotations: kubearmor-policy: audited labels: kubearmor-app: kubearmor-policy-manager spec: containers: - args: - --secure-listen-address=0.0.0.0:8443 - --upstream=http://127.0.0.1:8080/ - --logtostderr=true - --v=10 image: gcr.io/kubebuilder/kube-rbac-proxy:v0.5.0 name: kube-rbac-proxy ports: - containerPort: 8443 name: https resources: limits: cpu: 100m memory: 40Mi requests: cpu: 100m memory: 20Mi - args: - --metrics-addr=127.0.0.1:8080 - --enable-leader-election command: - /manager image: kubearmor/kubearmor-policy-manager:latest livenessProbe: httpGet: path: /healthz port: 8081 initialDelaySeconds: 15 periodSeconds: 20 name: kubearmor-policy-manager resources: limits: cpu: 100m memory: 40Mi requests: cpu: 100m memory: 20Mi serviceAccountName: kubearmor terminationGracePeriodSeconds: 10 --- apiVersion: v1 kind: Service metadata: labels: kubearmor-app: kubearmor-host-policy-manager name: kubearmor-host-policy-manager-metrics-service namespace: kube-system spec: ports: - name: https port: 8443 targetPort: https selector: kubearmor-app: kubearmor-host-policy-manager --- apiVersion: apps/v1 kind: Deployment metadata: labels: kubearmor-app: kubearmor-host-policy-manager name: kubearmor-host-policy-manager namespace: kube-system spec: replicas: 1 selector: matchLabels: kubearmor-app: kubearmor-host-policy-manager template: metadata: annotations: kubearmor-policy: audited labels: kubearmor-app: kubearmor-host-policy-manager spec: containers: - args: - --secure-listen-address=0.0.0.0:8443 - --upstream=http://127.0.0.1:8080/ - --logtostderr=true - --v=10 image: gcr.io/kubebuilder/kube-rbac-proxy:v0.5.0 name: kube-rbac-proxy ports: - containerPort: 8443 name: https resources: limits: cpu: 100m memory: 40Mi requests: cpu: 100m memory: 20Mi - args: - --metrics-addr=127.0.0.1:8080 - --enable-leader-election command: - /manager image: kubearmor/kubearmor-host-policy-manager:latest livenessProbe: httpGet: path: /healthz port: 8081 initialDelaySeconds: 15 periodSeconds: 20 name: kubearmor-host-policy-manager resources: limits: cpu: 100m memory: 40Mi requests: cpu: 100m memory: 20Mi serviceAccountName: kubearmor terminationGracePeriodSeconds: 10 --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.4.1 name: kubearmorpolicies.security.kubearmor.com spec: group: security.kubearmor.com names: kind: KubeArmorPolicy listKind: KubeArmorPolicyList plural: kubearmorpolicies shortNames: - ksp singular: kubearmorpolicy scope: Namespaced versions: - name: v1 schema: openAPIV3Schema: description: KubeArmorPolicy is the Schema for the kubearmorpolicies API properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: description: KubeArmorPolicySpec defines the desired state of KubeArmorPolicy properties: action: enum: - Allow - Audit - Block type: string apparmor: type: string capabilities: properties: action: enum: - Allow - Audit - Block type: string matchCapabilities: items: properties: action: enum: - Allow - Audit - Block type: string capability: pattern: (chown|dac_override|dac_read_search|fowner|fsetid|kill|setgid|setuid|setpcap|linux_immutable|net_bind_service|net_broadcast|net_admin|net_raw|ipc_lock|ipc_owner|sys_module|sys_rawio|sys_chroot|sys_ptrace|sys_pacct|sys_admin|sys_boot|sys_nice|sys_resource|sys_time|sys_tty_config|mknod|lease|audit_write|audit_control|setfcap|mac_override|mac_admin)$ type: string fromSource: items: properties: path: pattern: ^\/+.*[^\/]$ type: string type: object type: array message: type: string severity: maximum: 10 minimum: 1 type: integer tags: items: type: string type: array required: - capability type: object type: array message: type: string severity: maximum: 10 minimum: 1 type: integer tags: items: type: string type: array required: - matchCapabilities type: object file: properties: action: enum: - Allow - Audit - Block type: string matchDirectories: items: properties: action: enum: - Allow - Audit - Block type: string dir: pattern: ^\/$|^\/.*\/$ type: string fromSource: items: properties: path: pattern: ^\/+.*[^\/]$ type: string type: object type: array message: type: string ownerOnly: type: boolean readOnly: type: boolean recursive: type: boolean severity: maximum: 10 minimum: 1 type: integer tags: items: type: string type: array required: - dir type: object type: array matchPaths: items: properties: action: enum: - Allow - Audit - Block type: string fromSource: items: properties: path: pattern: ^\/+.*[^\/]$ type: string type: object type: array message: type: string ownerOnly: type: boolean path: pattern: ^\/+.*[^\/]$ type: string readOnly: type: boolean severity: maximum: 10 minimum: 1 type: integer tags: items: type: string type: array required: - path type: object type: array matchPatterns: items: properties: action: enum: - Allow - Audit - Block type: string message: type: string ownerOnly: type: boolean pattern: type: string readOnly: type: boolean severity: maximum: 10 minimum: 1 type: integer tags: items: type: string type: array required: - pattern type: object type: array message: type: string severity: maximum: 10 minimum: 1 type: integer tags: items: type: string type: array type: object message: type: string network: properties: action: enum: - Allow - Audit - Block type: string matchProtocols: items: properties: action: enum: - Allow - Audit - Block type: string fromSource: items: properties: path: pattern: ^\/+.*[^\/]$ type: string type: object type: array message: type: string protocol: pattern: (icmp|ICMP|tcp|TCP|udp|UDP|raw|RAW)$ type: string severity: maximum: 10 minimum: 1 type: integer tags: items: type: string type: array required: - protocol type: object type: array message: type: string severity: maximum: 10 minimum: 1 type: integer tags: items: type: string type: array required: - matchProtocols type: object process: properties: action: enum: - Allow - Audit - Block type: string matchDirectories: items: properties: action: enum: - Allow - Audit - Block type: string dir: pattern: ^\/$|^\/.*\/$ type: string fromSource: items: properties: path: pattern: ^\/+.*[^\/]$ type: string type: object type: array message: type: string ownerOnly: type: boolean recursive: type: boolean severity: maximum: 10 minimum: 1 type: integer tags: items: type: string type: array required: - dir type: object type: array matchPaths: items: properties: action: enum: - Allow - Audit - Block type: string fromSource: items: properties: path: pattern: ^\/+.*[^\/]$ type: string type: object type: array message: type: string ownerOnly: type: boolean path: pattern: ^\/+.*[^\/]$ type: string severity: maximum: 10 minimum: 1 type: integer tags: items: type: string type: array required: - path type: object type: array matchPatterns: items: properties: action: enum: - Allow - Audit - Block type: string message: type: string ownerOnly: type: boolean pattern: type: string severity: maximum: 10 minimum: 1 type: integer tags: items: type: string type: array required: - pattern type: object type: array message: type: string severity: maximum: 10 minimum: 1 type: integer tags: items: type: string type: array type: object selector: properties: matchLabels: additionalProperties: type: string type: object type: object severity: maximum: 10 minimum: 1 type: integer syscalls: properties: matchPaths: items: properties: fromSource: items: properties: dir: type: string path: pattern: ^\/+.*[^\/]$ type: string recursive: type: boolean type: object type: array path: pattern: (^\/+.*[^\/]$)|(^\/$|^\/.*\/$) type: string recursive: type: boolean syscall: items: enum: - read - write - open - close - stat - fstat - lstat - poll - lseek - mmap - mprotect - munmap - brk - rt_sigaction - rt_sigprocmask - rt_sigreturn - ioctl - pread64 - pwrite64 - readv - writev - access - pipe - select - sched_yield - mremap - msync - mincore - madvise - shmget - shmat - shmctl - dup - dup2 - pause - nanosleep - getitimer - alarm - setitimer - getpid - sendfile - socket - connect - accept - sendto - recvfrom - sendmsg - recvmsg - shutdown - bind - listen - getsockname - getpeername - socketpair - setsockopt - getsockopt - clone - fork - vfork - execve - exit - wait4 - kill - uname - semget - semop - semctl - shmdt - msgget - msgsnd - msgrcv - msgctl - fcntl - flock - fsync - fdatasync - truncate - ftruncate - getdents - getcwd - chdir - fchdir - rename - mkdir - rmdir - creat - link - unlink - symlink - readlink - chmod - fchmod - chown - fchown - lchown - umask - gettimeofday - getrlimit - getrusage - sysinfo - times - ptrace - getuid - syslog - getgid - setuid - setgid - geteuid - getegid - setpgid - getppid - getpgrp - setsid - setreuid - setregid - getgroups - setgroups - setresuid - getresuid - setresgid - getresgid - getpgid - setfsuid - setfsgid - getsid - capget - capset - rt_sigpending - rt_sigtimedwait - rt_sigqueueinfo - rt_sigsuspend - sigaltstack - utime - mknod - uselib - personality - ustat - statfs - fstatfs - sysfs - getpriority - setpriority - sched_setparam - sched_getparam - sched_setscheduler - sched_getscheduler - sched_get_priority_max - sched_get_priority_min - sched_rr_get_interval - mlock - munlock - mlockall - munlockall - vhangup - modify_ldt - pivot_root - _sysctl - prctl - arch_prctl - adjtimex - setrlimit - chroot - sync - acct - settimeofday - mount - umount2 - swapon - swapoff - reboot - sethostname - setdomainname - iopl - ioperm - create_module - init_module - delete_module - get_kernel_syms - query_module - quotactl - nfsservctl - getpmsg - putpmsg - afs_syscall - tuxcall - security - gettid - readahead - setxattr - lsetxattr - fsetxattr - getxattr - lgetxattr - fgetxattr - listxattr - llistxattr - flistxattr - removexattr - lremovexattr - fremovexattr - tkill - time - futex - sched_setaffinity - sched_getaffinity - set_thread_area - io_setup - io_destroy - io_getevents - io_submit - io_cancel - get_thread_area - lookup_dcookie - epoll_create - epoll_ctl_old - epoll_wait_old - remap_file_pages - getdents64 - set_tid_address - restart_syscall - semtimedop - fadvise64 - timer_create - timer_settime - timer_gettime - timer_getoverrun - timer_delete - clock_settime - clock_gettime - clock_getres - clock_nanosleep - exit_group - epoll_wait - epoll_ctl - tgkill - utimes - vserver - mbind - set_mempolicy - get_mempolicy - mq_open - mq_unlink - mq_timedsend - mq_timedreceive - mq_notify - mq_getsetattr - kexec_load - waitid - add_key - request_key - keyctl - ioprio_set - ioprio_get - inotify_init - inotify_add_watch - inotify_rm_watch - migrate_pages - openat - mkdirat - mknodat - fchownat - futimesat - newfstatat - unlinkat - renameat - linkat - symlinkat - readlinkat - fchmodat - faccessat - pselect6 - ppoll - unshare - set_robust_list - get_robust_list - splice - tee - sync_file_range - vmsplice - move_pages - utimensat - epoll_pwait - signalfd - timerfd_create - eventfd - fallocate - timerfd_settime - timerfd_gettime - accept4 - signalfd4 - eventfd2 - epoll_create1 - dup3 - pipe2 - inotify_init1 - preadv - pwritev - rt_tgsigqueueinfo - perf_event_open - recvmmsg - fanotify_init - fanotify_mark - prlimit64 - name_to_handle_at - open_by_handle_at - clock_adjtime - syncfs - sendmmsg - setns - getcpu - process_vm_readv - process_vm_writev - kcmp - finit_module - sched_setattr - sched_getattr - renameat2 - seccomp - getrandom - memfd_create - kexec_file_load - bpf - execveat - userfaultfd - membarrier - mlock2 - copy_file_range - preadv2 - pwritev2 - pkey_mprotect - pkey_alloc - pkey_free - statx - io_pgetevents - rseq type: string type: array type: object type: array matchSyscalls: items: properties: fromSource: items: properties: dir: type: string path: pattern: ^\/+.*[^\/]$ type: string recursive: type: boolean type: object type: array syscall: items: enum: - read - write - open - close - stat - fstat - lstat - poll - lseek - mmap - mprotect - munmap - brk - rt_sigaction - rt_sigprocmask - rt_sigreturn - ioctl - pread64 - pwrite64 - readv - writev - access - pipe - select - sched_yield - mremap - msync - mincore - madvise - shmget - shmat - shmctl - dup - dup2 - pause - nanosleep - getitimer - alarm - setitimer - getpid - sendfile - socket - connect - accept - sendto - recvfrom - sendmsg - recvmsg - shutdown - bind - listen - getsockname - getpeername - socketpair - setsockopt - getsockopt - clone - fork - vfork - execve - exit - wait4 - kill - uname - semget - semop - semctl - shmdt - msgget - msgsnd - msgrcv - msgctl - fcntl - flock - fsync - fdatasync - truncate - ftruncate - getdents - getcwd - chdir - fchdir - rename - mkdir - rmdir - creat - link - unlink - symlink - readlink - chmod - fchmod - chown - fchown - lchown - umask - gettimeofday - getrlimit - getrusage - sysinfo - times - ptrace - getuid - syslog - getgid - setuid - setgid - geteuid - getegid - setpgid - getppid - getpgrp - setsid - setreuid - setregid - getgroups - setgroups - setresuid - getresuid - setresgid - getresgid - getpgid - setfsuid - setfsgid - getsid - capget - capset - rt_sigpending - rt_sigtimedwait - rt_sigqueueinfo - rt_sigsuspend - sigaltstack - utime - mknod - uselib - personality - ustat - statfs - fstatfs - sysfs - getpriority - setpriority - sched_setparam - sched_getparam - sched_setscheduler - sched_getscheduler - sched_get_priority_max - sched_get_priority_min - sched_rr_get_interval - mlock - munlock - mlockall - munlockall - vhangup - modify_ldt - pivot_root - _sysctl - prctl - arch_prctl - adjtimex - setrlimit - chroot - sync - acct - settimeofday - mount - umount2 - swapon - swapoff - reboot - sethostname - setdomainname - iopl - ioperm - create_module - init_module - delete_module - get_kernel_syms - query_module - quotactl - nfsservctl - getpmsg - putpmsg - afs_syscall - tuxcall - security - gettid - readahead - setxattr - lsetxattr - fsetxattr - getxattr - lgetxattr - fgetxattr - listxattr - llistxattr - flistxattr - removexattr - lremovexattr - fremovexattr - tkill - time - futex - sched_setaffinity - sched_getaffinity - set_thread_area - io_setup - io_destroy - io_getevents - io_submit - io_cancel - get_thread_area - lookup_dcookie - epoll_create - epoll_ctl_old - epoll_wait_old - remap_file_pages - getdents64 - set_tid_address - restart_syscall - semtimedop - fadvise64 - timer_create - timer_settime - timer_gettime - timer_getoverrun - timer_delete - clock_settime - clock_gettime - clock_getres - clock_nanosleep - exit_group - epoll_wait - epoll_ctl - tgkill - utimes - vserver - mbind - set_mempolicy - get_mempolicy - mq_open - mq_unlink - mq_timedsend - mq_timedreceive - mq_notify - mq_getsetattr - kexec_load - waitid - add_key - request_key - keyctl - ioprio_set - ioprio_get - inotify_init - inotify_add_watch - inotify_rm_watch - migrate_pages - openat - mkdirat - mknodat - fchownat - futimesat - newfstatat - unlinkat - renameat - linkat - symlinkat - readlinkat - fchmodat - faccessat - pselect6 - ppoll - unshare - set_robust_list - get_robust_list - splice - tee - sync_file_range - vmsplice - move_pages - utimensat - epoll_pwait - signalfd - timerfd_create - eventfd - fallocate - timerfd_settime - timerfd_gettime - accept4 - signalfd4 - eventfd2 - epoll_create1 - dup3 - pipe2 - inotify_init1 - preadv - pwritev - rt_tgsigqueueinfo - perf_event_open - recvmmsg - fanotify_init - fanotify_mark - prlimit64 - name_to_handle_at - open_by_handle_at - clock_adjtime - syncfs - sendmmsg - setns - getcpu - process_vm_readv - process_vm_writev - kcmp - finit_module - sched_setattr - sched_getattr - renameat2 - seccomp - getrandom - memfd_create - kexec_file_load - bpf - execveat - userfaultfd - membarrier - mlock2 - copy_file_range - preadv2 - pwritev2 - pkey_mprotect - pkey_alloc - pkey_free - statx - io_pgetevents - rseq type: string type: array type: object type: array message: type: string severity: maximum: 10 minimum: 1 type: integer tags: items: type: string type: array type: object tags: items: type: string type: array required: - selector type: object status: description: KubeArmorPolicyStatus defines the observed state of KubeArmorPolicy properties: status: type: string type: object type: object served: true storage: true subresources: status: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.4.1 name: kubearmorhostpolicies.security.kubearmor.com spec: group: security.kubearmor.com names: kind: KubeArmorHostPolicy listKind: KubeArmorHostPolicyList plural: kubearmorhostpolicies shortNames: - hsp singular: kubearmorhostpolicy scope: Cluster versions: - name: v1 schema: openAPIV3Schema: description: KubeArmorHostPolicy is the Schema for the kubearmorhostpolicies API properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: description: KubeArmorHostPolicySpec defines the desired state of KubeArmorHostPolicy properties: action: enum: - Allow - Audit - Block type: string apparmor: type: string capabilities: properties: action: enum: - Allow - Audit - Block type: string matchCapabilities: items: properties: action: enum: - Allow - Audit - Block type: string capability: pattern: (chown|dac_override|dac_read_search|fowner|fsetid|kill|setgid|setuid|setpcap|linux_immutable|net_bind_service|net_broadcast|net_admin|net_raw|ipc_lock|ipc_owner|sys_module|sys_rawio|sys_chroot|sys_ptrace|sys_pacct|sys_admin|sys_boot|sys_nice|sys_resource|sys_time|sys_tty_config|mknod|lease|audit_write|audit_control|setfcap|mac_override|mac_admin)$ type: string fromSource: items: properties: path: pattern: ^\/+.*[^\/]$ type: string type: object type: array message: type: string severity: maximum: 10 minimum: 1 type: integer tags: items: type: string type: array required: - capability - fromSource type: object type: array message: type: string severity: maximum: 10 minimum: 1 type: integer tags: items: type: string type: array required: - matchCapabilities type: object file: properties: action: enum: - Allow - Audit - Block type: string matchDirectories: items: properties: action: enum: - Allow - Audit - Block type: string dir: pattern: ^\/$|^\/.*\/$ type: string fromSource: items: properties: path: pattern: ^\/+.*[^\/]$ type: string type: object type: array message: type: string ownerOnly: type: boolean readOnly: type: boolean recursive: type: boolean severity: maximum: 10 minimum: 1 type: integer tags: items: type: string type: array required: - dir type: object type: array matchPaths: items: properties: action: enum: - Allow - Audit - Block type: string fromSource: items: properties: path: pattern: ^\/+.*[^\/]$ type: string type: object type: array message: type: string ownerOnly: type: boolean path: pattern: ^\/+.*[^\/]$ type: string readOnly: type: boolean severity: maximum: 10 minimum: 1 type: integer tags: items: type: string type: array required: - path type: object type: array matchPatterns: items: properties: action: enum: - Allow - Audit - Block type: string message: type: string ownerOnly: type: boolean pattern: type: string readOnly: type: boolean severity: maximum: 10 minimum: 1 type: integer tags: items: type: string type: array required: - pattern type: object type: array message: type: string severity: maximum: 10 minimum: 1 type: integer tags: items: type: string type: array type: object message: type: string network: properties: action: enum: - Allow - Audit - Block type: string matchProtocols: items: properties: action: enum: - Allow - Audit - Block type: string fromSource: items: properties: path: pattern: ^\/+.*[^\/]$ type: string type: object type: array message: type: string protocol: pattern: (icmp|ICMP|tcp|TCP|udp|UDP|raw|RAW)$ type: string severity: maximum: 10 minimum: 1 type: integer tags: items: type: string type: array required: - fromSource - protocol type: object type: array message: type: string severity: maximum: 10 minimum: 1 type: integer tags: items: type: string type: array required: - matchProtocols type: object nodeSelector: properties: matchLabels: additionalProperties: type: string type: object type: object process: properties: action: enum: - Allow - Audit - Block type: string matchDirectories: items: properties: action: enum: - Allow - Audit - Block type: string dir: pattern: ^\/$|^\/.*\/$ type: string fromSource: items: properties: path: pattern: ^\/+.*[^\/]$ type: string type: object type: array message: type: string ownerOnly: type: boolean recursive: type: boolean severity: maximum: 10 minimum: 1 type: integer tags: items: type: string type: array required: - dir type: object type: array matchPaths: items: properties: action: enum: - Allow - Audit - Block type: string fromSource: items: properties: path: pattern: ^\/+.*[^\/]$ type: string type: object type: array message: type: string ownerOnly: type: boolean path: pattern: ^\/+.*[^\/]$ type: string severity: maximum: 10 minimum: 1 type: integer tags: items: type: string type: array required: - path type: object type: array matchPatterns: items: properties: action: enum: - Allow - Audit - Block type: string message: type: string ownerOnly: type: boolean pattern: type: string severity: maximum: 10 minimum: 1 type: integer tags: items: type: string type: array required: - pattern type: object type: array message: type: string severity: maximum: 10 minimum: 1 type: integer tags: items: type: string type: array type: object severity: maximum: 10 minimum: 1 type: integer syscalls: properties: matchPaths: items: properties: fromSource: items: properties: dir: type: string path: pattern: ^\/+.*[^\/]$ type: string recursive: type: boolean type: object type: array path: pattern: (^\/+.*[^\/]$)|(^\/$|^\/.*\/$) type: string recursive: type: boolean syscall: items: enum: - read - write - open - close - stat - fstat - lstat - poll - lseek - mmap - mprotect - munmap - brk - rt_sigaction - rt_sigprocmask - rt_sigreturn - ioctl - pread64 - pwrite64 - readv - writev - access - pipe - select - sched_yield - mremap - msync - mincore - madvise - shmget - shmat - shmctl - dup - dup2 - pause - nanosleep - getitimer - alarm - setitimer - getpid - sendfile - socket - connect - accept - sendto - recvfrom - sendmsg - recvmsg - shutdown - bind - listen - getsockname - getpeername - socketpair - setsockopt - getsockopt - clone - fork - vfork - execve - exit - wait4 - kill - uname - semget - semop - semctl - shmdt - msgget - msgsnd - msgrcv - msgctl - fcntl - flock - fsync - fdatasync - truncate - ftruncate - getdents - getcwd - chdir - fchdir - rename - mkdir - rmdir - creat - link - unlink - symlink - readlink - chmod - fchmod - chown - fchown - lchown - umask - gettimeofday - getrlimit - getrusage - sysinfo - times - ptrace - getuid - syslog - getgid - setuid - setgid - geteuid - getegid - setpgid - getppid - getpgrp - setsid - setreuid - setregid - getgroups - setgroups - setresuid - getresuid - setresgid - getresgid - getpgid - setfsuid - setfsgid - getsid - capget - capset - rt_sigpending - rt_sigtimedwait - rt_sigqueueinfo - rt_sigsuspend - sigaltstack - utime - mknod - uselib - personality - ustat - statfs - fstatfs - sysfs - getpriority - setpriority - sched_setparam - sched_getparam - sched_setscheduler - sched_getscheduler - sched_get_priority_max - sched_get_priority_min - sched_rr_get_interval - mlock - munlock - mlockall - munlockall - vhangup - modify_ldt - pivot_root - _sysctl - prctl - arch_prctl - adjtimex - setrlimit - chroot - sync - acct - settimeofday - mount - umount2 - swapon - swapoff - reboot - sethostname - setdomainname - iopl - ioperm - create_module - init_module - delete_module - get_kernel_syms - query_module - quotactl - nfsservctl - getpmsg - putpmsg - afs_syscall - tuxcall - security - gettid - readahead - setxattr - lsetxattr - fsetxattr - getxattr - lgetxattr - fgetxattr - listxattr - llistxattr - flistxattr - removexattr - lremovexattr - fremovexattr - tkill - time - futex - sched_setaffinity - sched_getaffinity - set_thread_area - io_setup - io_destroy - io_getevents - io_submit - io_cancel - get_thread_area - lookup_dcookie - epoll_create - epoll_ctl_old - epoll_wait_old - remap_file_pages - getdents64 - set_tid_address - restart_syscall - semtimedop - fadvise64 - timer_create - timer_settime - timer_gettime - timer_getoverrun - timer_delete - clock_settime - clock_gettime - clock_getres - clock_nanosleep - exit_group - epoll_wait - epoll_ctl - tgkill - utimes - vserver - mbind - set_mempolicy - get_mempolicy - mq_open - mq_unlink - mq_timedsend - mq_timedreceive - mq_notify - mq_getsetattr - kexec_load - waitid - add_key - request_key - keyctl - ioprio_set - ioprio_get - inotify_init - inotify_add_watch - inotify_rm_watch - migrate_pages - openat - mkdirat - mknodat - fchownat - futimesat - newfstatat - unlinkat - renameat - linkat - symlinkat - readlinkat - fchmodat - faccessat - pselect6 - ppoll - unshare - set_robust_list - get_robust_list - splice - tee - sync_file_range - vmsplice - move_pages - utimensat - epoll_pwait - signalfd - timerfd_create - eventfd - fallocate - timerfd_settime - timerfd_gettime - accept4 - signalfd4 - eventfd2 - epoll_create1 - dup3 - pipe2 - inotify_init1 - preadv - pwritev - rt_tgsigqueueinfo - perf_event_open - recvmmsg - fanotify_init - fanotify_mark - prlimit64 - name_to_handle_at - open_by_handle_at - clock_adjtime - syncfs - sendmmsg - setns - getcpu - process_vm_readv - process_vm_writev - kcmp - finit_module - sched_setattr - sched_getattr - renameat2 - seccomp - getrandom - memfd_create - kexec_file_load - bpf - execveat - userfaultfd - membarrier - mlock2 - copy_file_range - preadv2 - pwritev2 - pkey_mprotect - pkey_alloc - pkey_free - statx - io_pgetevents - rseq type: string type: array type: object type: array matchSyscalls: items: properties: fromSource: items: properties: dir: type: string path: pattern: ^\/+.*[^\/]$ type: string recursive: type: boolean type: object type: array syscall: items: enum: - read - write - open - close - stat - fstat - lstat - poll - lseek - mmap - mprotect - munmap - brk - rt_sigaction - rt_sigprocmask - rt_sigreturn - ioctl - pread64 - pwrite64 - readv - writev - access - pipe - select - sched_yield - mremap - msync - mincore - madvise - shmget - shmat - shmctl - dup - dup2 - pause - nanosleep - getitimer - alarm - setitimer - getpid - sendfile - socket - connect - accept - sendto - recvfrom - sendmsg - recvmsg - shutdown - bind - listen - getsockname - getpeername - socketpair - setsockopt - getsockopt - clone - fork - vfork - execve - exit - wait4 - kill - uname - semget - semop - semctl - shmdt - msgget - msgsnd - msgrcv - msgctl - fcntl - flock - fsync - fdatasync - truncate - ftruncate - getdents - getcwd - chdir - fchdir - rename - mkdir - rmdir - creat - link - unlink - symlink - readlink - chmod - fchmod - chown - fchown - lchown - umask - gettimeofday - getrlimit - getrusage - sysinfo - times - ptrace - getuid - syslog - getgid - setuid - setgid - geteuid - getegid - setpgid - getppid - getpgrp - setsid - setreuid - setregid - getgroups - setgroups - setresuid - getresuid - setresgid - getresgid - getpgid - setfsuid - setfsgid - getsid - capget - capset - rt_sigpending - rt_sigtimedwait - rt_sigqueueinfo - rt_sigsuspend - sigaltstack - utime - mknod - uselib - personality - ustat - statfs - fstatfs - sysfs - getpriority - setpriority - sched_setparam - sched_getparam - sched_setscheduler - sched_getscheduler - sched_get_priority_max - sched_get_priority_min - sched_rr_get_interval - mlock - munlock - mlockall - munlockall - vhangup - modify_ldt - pivot_root - _sysctl - prctl - arch_prctl - adjtimex - setrlimit - chroot - sync - acct - settimeofday - mount - umount2 - swapon - swapoff - reboot - sethostname - setdomainname - iopl - ioperm - create_module - init_module - delete_module - get_kernel_syms - query_module - quotactl - nfsservctl - getpmsg - putpmsg - afs_syscall - tuxcall - security - gettid - readahead - setxattr - lsetxattr - fsetxattr - getxattr - lgetxattr - fgetxattr - listxattr - llistxattr - flistxattr - removexattr - lremovexattr - fremovexattr - tkill - time - futex - sched_setaffinity - sched_getaffinity - set_thread_area - io_setup - io_destroy - io_getevents - io_submit - io_cancel - get_thread_area - lookup_dcookie - epoll_create - epoll_ctl_old - epoll_wait_old - remap_file_pages - getdents64 - set_tid_address - restart_syscall - semtimedop - fadvise64 - timer_create - timer_settime - timer_gettime - timer_getoverrun - timer_delete - clock_settime - clock_gettime - clock_getres - clock_nanosleep - exit_group - epoll_wait - epoll_ctl - tgkill - utimes - vserver - mbind - set_mempolicy - get_mempolicy - mq_open - mq_unlink - mq_timedsend - mq_timedreceive - mq_notify - mq_getsetattr - kexec_load - waitid - add_key - request_key - keyctl - ioprio_set - ioprio_get - inotify_init - inotify_add_watch - inotify_rm_watch - migrate_pages - openat - mkdirat - mknodat - fchownat - futimesat - newfstatat - unlinkat - renameat - linkat - symlinkat - readlinkat - fchmodat - faccessat - pselect6 - ppoll - unshare - set_robust_list - get_robust_list - splice - tee - sync_file_range - vmsplice - move_pages - utimensat - epoll_pwait - signalfd - timerfd_create - eventfd - fallocate - timerfd_settime - timerfd_gettime - accept4 - signalfd4 - eventfd2 - epoll_create1 - dup3 - pipe2 - inotify_init1 - preadv - pwritev - rt_tgsigqueueinfo - perf_event_open - recvmmsg - fanotify_init - fanotify_mark - prlimit64 - name_to_handle_at - open_by_handle_at - clock_adjtime - syncfs - sendmmsg - setns - getcpu - process_vm_readv - process_vm_writev - kcmp - finit_module - sched_setattr - sched_getattr - renameat2 - seccomp - getrandom - memfd_create - kexec_file_load - bpf - execveat - userfaultfd - membarrier - mlock2 - copy_file_range - preadv2 - pwritev2 - pkey_mprotect - pkey_alloc - pkey_free - statx - io_pgetevents - rseq type: string type: array type: object type: array message: type: string severity: maximum: 10 minimum: 1 type: integer tags: items: type: string type: array type: object tags: items: type: string type: array required: - nodeSelector type: object status: description: KubeArmorHostPolicyStatus defines the observed state of KubeArmorHostPolicy properties: status: type: string type: object type: object served: true storage: true subresources: status: {}