--- apiVersion: v1 kind: ServiceAccount metadata: name: kubearmor namespace: kube-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: kubearmor namespace: kube-system roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - kind: ServiceAccount name: kubearmor namespace: kube-system --- apiVersion: v1 kind: Service metadata: name: kubearmor namespace: kube-system spec: ports: - port: 32767 protocol: TCP targetPort: 32767 selector: kubearmor-app: kubearmor-relay --- apiVersion: apps/v1 kind: Deployment metadata: labels: kubearmor-app: kubearmor-relay name: kubearmor-relay namespace: kube-system spec: replicas: 1 selector: matchLabels: kubearmor-app: kubearmor-relay template: metadata: annotations: kubearmor-policy: audited labels: kubearmor-app: kubearmor-relay spec: containers: - image: kubearmor/kubearmor-relay-server:latest name: kubearmor-relay-server ports: - containerPort: 32767 nodeSelector: kubernetes.io/os: linux serviceAccountName: kubearmor --- apiVersion: apps/v1 kind: DaemonSet metadata: labels: kubearmor-app: kubearmor name: kubearmor namespace: kube-system spec: selector: matchLabels: kubearmor-app: kubearmor template: metadata: annotations: container.apparmor.security.beta.kubernetes.io/kubearmor: unconfined labels: kubearmor-app: kubearmor spec: containers: - args: - -gRPC=32767 - -logPath=/tmp/kubearmor.log - -enableKubeArmorHostPolicy image: kubearmor/kubearmor:stable imagePullPolicy: Always livenessProbe: exec: command: - /bin/bash - -c - if [ -z $(pgrep kubearmor) ]; then exit 1; fi; initialDelaySeconds: 60 periodSeconds: 10 name: kubearmor ports: - containerPort: 32767 securityContext: privileged: true terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /lib/modules name: lib-modules-path readOnly: true - mountPath: /sys/fs/bpf name: sys-fs-bpf-path - mountPath: /sys/kernel/security name: sys-kernel-security-path - mountPath: /sys/kernel/debug name: sys-kernel-debug-path - mountPath: /media/root/etc/os-release name: os-release-path readOnly: true - mountPath: /media/root/usr name: usr-src-path readOnly: true - mountPath: /etc/apparmor.d name: etc-apparmor-d-path - mountPath: /var/run/containerd/containerd.sock name: containerd-sock-path readOnly: true - mountPath: /run/containerd name: containerd-storage-path readOnly: true - mountPath: /var/lib/docker name: docker-storage-path readOnly: true dnsPolicy: ClusterFirstWithHostNet hostNetwork: true hostPID: true nodeSelector: kubernetes.io/os: linux restartPolicy: Always serviceAccountName: kubearmor terminationGracePeriodSeconds: 30 tolerations: - operator: Exists volumes: - hostPath: path: /lib/modules type: Directory name: lib-modules-path - hostPath: path: /sys/fs/bpf type: Directory name: sys-fs-bpf-path - hostPath: path: /sys/kernel/security type: Directory name: sys-kernel-security-path - hostPath: path: /sys/kernel/debug type: Directory name: sys-kernel-debug-path - hostPath: path: /etc/os-release type: File name: os-release-path - hostPath: path: /usr type: Directory name: usr-src-path - hostPath: path: /etc/apparmor.d type: DirectoryOrCreate name: etc-apparmor-d-path - hostPath: path: /var/run/containerd/containerd.sock type: Socket name: containerd-sock-path - hostPath: path: /run/containerd type: DirectoryOrCreate name: containerd-storage-path - hostPath: path: /var/lib/docker type: DirectoryOrCreate name: docker-storage-path --- apiVersion: v1 kind: Service metadata: labels: kubearmor-app: kubearmor-policy-manager name: kubearmor-policy-manager-metrics-service namespace: kube-system spec: ports: - name: https port: 8443 targetPort: https selector: kubearmor-app: kubearmor-policy-manager --- apiVersion: apps/v1 kind: Deployment metadata: labels: kubearmor-app: kubearmor-policy-manager name: kubearmor-policy-manager namespace: kube-system spec: replicas: 1 selector: matchLabels: kubearmor-app: kubearmor-policy-manager template: metadata: annotations: kubearmor-policy: audited labels: kubearmor-app: kubearmor-policy-manager spec: containers: - args: - --secure-listen-address=0.0.0.0:8443 - --upstream=http://127.0.0.1:8080/ - --logtostderr=true - --v=10 image: gcr.io/kubebuilder/kube-rbac-proxy:v0.5.0 name: kube-rbac-proxy ports: - containerPort: 8443 name: https resources: limits: cpu: 100m memory: 40Mi requests: cpu: 100m memory: 20Mi - args: - --metrics-addr=127.0.0.1:8080 - --enable-leader-election command: - /manager image: kubearmor/kubearmor-policy-manager:latest name: kubearmor-policy-manager resources: limits: cpu: 100m memory: 40Mi requests: cpu: 100m memory: 20Mi serviceAccountName: kubearmor terminationGracePeriodSeconds: 10 --- apiVersion: v1 kind: Service metadata: labels: kubearmor-app: kubearmor-host-policy-manager name: kubearmor-host-policy-manager-metrics-service namespace: kube-system spec: ports: - name: https port: 8443 targetPort: https selector: kubearmor-app: kubearmor-host-policy-manager --- apiVersion: apps/v1 kind: Deployment metadata: labels: kubearmor-app: kubearmor-host-policy-manager name: kubearmor-host-policy-manager namespace: kube-system spec: replicas: 1 selector: matchLabels: kubearmor-app: kubearmor-host-policy-manager template: metadata: annotations: kubearmor-policy: audited labels: kubearmor-app: kubearmor-host-policy-manager spec: containers: - args: - --secure-listen-address=0.0.0.0:8443 - --upstream=http://127.0.0.1:8080/ - --logtostderr=true - --v=10 image: gcr.io/kubebuilder/kube-rbac-proxy:v0.5.0 name: kube-rbac-proxy ports: - containerPort: 8443 name: https resources: limits: cpu: 100m memory: 40Mi requests: cpu: 100m memory: 20Mi - args: - --metrics-addr=127.0.0.1:8080 - --enable-leader-election command: - /manager image: kubearmor/kubearmor-host-policy-manager:latest name: kubearmor-host-policy-manager resources: limits: cpu: 100m memory: 40Mi requests: cpu: 100m memory: 20Mi serviceAccountName: kubearmor terminationGracePeriodSeconds: 10 --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.4.1 name: kubearmorpolicies.security.kubearmor.com spec: group: security.kubearmor.com names: kind: KubeArmorPolicy listKind: KubeArmorPolicyList plural: kubearmorpolicies shortNames: - ksp singular: kubearmorpolicy scope: Namespaced versions: - name: v1 schema: openAPIV3Schema: description: KubeArmorPolicy is the Schema for the kubearmorpolicies API properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: description: KubeArmorPolicySpec defines the desired state of KubeArmorPolicy properties: action: enum: - Allow - Audit - Block type: string apparmor: type: string capabilities: properties: action: enum: - Allow - Audit - Block type: string matchCapabilities: items: properties: action: enum: - Allow - Audit - Block type: string capability: pattern: (chown|dac_override|dac_read_search|fowner|fsetid|kill|setgid|setuid|setpcap|linux_immutable|net_bind_service|net_broadcast|net_admin|net_raw|ipc_lock|ipc_owner|sys_module|sys_rawio|sys_chroot|sys_ptrace|sys_pacct|sys_admin|sys_boot|sys_nice|sys_resource|sys_time|sys_tty_config|mknod|lease|audit_write|audit_control|setfcap|mac_override|mac_admin)$ type: string fromSource: items: properties: path: pattern: ^\/+.*[^\/]$ type: string type: object type: array message: type: string severity: maximum: 10 minimum: 1 type: integer tags: items: type: string type: array required: - capability type: object type: array message: type: string severity: maximum: 10 minimum: 1 type: integer tags: items: type: string type: array required: - matchCapabilities type: object file: properties: action: enum: - Allow - Audit - Block type: string matchDirectories: items: properties: action: enum: - Allow - Audit - Block type: string dir: pattern: ^\/$|^\/.*\/$ type: string fromSource: items: properties: path: pattern: ^\/+.*[^\/]$ type: string type: object type: array message: type: string ownerOnly: type: boolean readOnly: type: boolean recursive: type: boolean severity: maximum: 10 minimum: 1 type: integer tags: items: type: string type: array required: - dir type: object type: array matchPaths: items: properties: action: enum: - Allow - Audit - Block type: string fromSource: items: properties: path: pattern: ^\/+.*[^\/]$ type: string type: object type: array message: type: string ownerOnly: type: boolean path: pattern: ^\/+.*[^\/]$ type: string readOnly: type: boolean severity: maximum: 10 minimum: 1 type: integer tags: items: type: string type: array required: - path type: object type: array matchPatterns: items: properties: action: enum: - Allow - Audit - Block type: string message: type: string ownerOnly: type: boolean pattern: type: string readOnly: type: boolean severity: maximum: 10 minimum: 1 type: integer tags: items: type: string type: array required: - pattern type: object type: array message: type: string severity: maximum: 10 minimum: 1 type: integer tags: items: type: string type: array type: object message: type: string network: properties: action: enum: - Allow - Audit - Block type: string matchProtocols: items: properties: action: enum: - Allow - Audit - Block type: string fromSource: items: properties: path: pattern: ^\/+.*[^\/]$ type: string type: object type: array message: type: string protocol: pattern: (icmp|ICMP|tcp|TCP|udp|UDP|raw|RAW)$ type: string severity: maximum: 10 minimum: 1 type: integer tags: items: type: string type: array required: - protocol type: object type: array message: type: string severity: maximum: 10 minimum: 1 type: integer tags: items: type: string type: array required: - matchProtocols type: object process: properties: action: enum: - Allow - Audit - Block type: string matchDirectories: items: properties: action: enum: - Allow - Audit - Block type: string dir: pattern: ^\/$|^\/.*\/$ type: string fromSource: items: properties: path: pattern: ^\/+.*[^\/]$ type: string type: object type: array message: type: string ownerOnly: type: boolean recursive: type: boolean severity: maximum: 10 minimum: 1 type: integer tags: items: type: string type: array required: - dir type: object type: array matchPaths: items: properties: action: enum: - Allow - Audit - Block type: string fromSource: items: properties: path: pattern: ^\/+.*[^\/]$ type: string type: object type: array message: type: string ownerOnly: type: boolean path: pattern: ^\/+.*[^\/]$ type: string severity: maximum: 10 minimum: 1 type: integer tags: items: type: string type: array required: - path type: object type: array matchPatterns: items: properties: action: enum: - Allow - Audit - Block type: string message: type: string ownerOnly: type: boolean pattern: type: string severity: maximum: 10 minimum: 1 type: integer tags: items: type: string type: array required: - pattern type: object type: array message: type: string severity: maximum: 10 minimum: 1 type: integer tags: items: type: string type: array type: object selector: properties: matchLabels: additionalProperties: type: string type: object type: object severity: maximum: 10 minimum: 1 type: integer tags: items: type: string type: array required: - selector type: object status: description: KubeArmorPolicyStatus defines the observed state of KubeArmorPolicy properties: status: type: string type: object type: object served: true storage: true subresources: status: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.4.1 name: kubearmorhostpolicies.security.kubearmor.com spec: group: security.kubearmor.com names: kind: KubeArmorHostPolicy listKind: KubeArmorHostPolicyList plural: kubearmorhostpolicies shortNames: - hsp singular: kubearmorhostpolicy scope: Cluster versions: - name: v1 schema: openAPIV3Schema: description: KubeArmorHostPolicy is the Schema for the kubearmorhostpolicies API properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: description: KubeArmorHostPolicySpec defines the desired state of KubeArmorHostPolicy properties: action: enum: - Allow - Audit - Block type: string apparmor: type: string capabilities: properties: action: enum: - Allow - Audit - Block type: string matchCapabilities: items: properties: action: enum: - Allow - Audit - Block type: string capability: pattern: (chown|dac_override|dac_read_search|fowner|fsetid|kill|setgid|setuid|setpcap|linux_immutable|net_bind_service|net_broadcast|net_admin|net_raw|ipc_lock|ipc_owner|sys_module|sys_rawio|sys_chroot|sys_ptrace|sys_pacct|sys_admin|sys_boot|sys_nice|sys_resource|sys_time|sys_tty_config|mknod|lease|audit_write|audit_control|setfcap|mac_override|mac_admin)$ type: string fromSource: items: properties: path: pattern: ^\/+.*[^\/]$ type: string type: object type: array message: type: string severity: maximum: 10 minimum: 1 type: integer tags: items: type: string type: array required: - capability - fromSource type: object type: array message: type: string severity: maximum: 10 minimum: 1 type: integer tags: items: type: string type: array required: - matchCapabilities type: object file: properties: action: enum: - Allow - Audit - Block type: string matchDirectories: items: properties: action: enum: - Allow - Audit - Block type: string dir: pattern: ^\/$|^\/.*\/$ type: string fromSource: items: properties: path: pattern: ^\/+.*[^\/]$ type: string type: object type: array message: type: string ownerOnly: type: boolean readOnly: type: boolean recursive: type: boolean severity: maximum: 10 minimum: 1 type: integer tags: items: type: string type: array required: - dir type: object type: array matchPaths: items: properties: action: enum: - Allow - Audit - Block type: string fromSource: items: properties: path: pattern: ^\/+.*[^\/]$ type: string type: object type: array message: type: string ownerOnly: type: boolean path: pattern: ^\/+.*[^\/]$ type: string readOnly: type: boolean severity: maximum: 10 minimum: 1 type: integer tags: items: type: string type: array required: - path type: object type: array matchPatterns: items: properties: action: enum: - Allow - Audit - Block type: string message: type: string ownerOnly: type: boolean pattern: type: string readOnly: type: boolean severity: maximum: 10 minimum: 1 type: integer tags: items: type: string type: array required: - pattern type: object type: array message: type: string severity: maximum: 10 minimum: 1 type: integer tags: items: type: string type: array type: object message: type: string network: properties: action: enum: - Allow - Audit - Block type: string matchProtocols: items: properties: action: enum: - Allow - Audit - Block type: string fromSource: items: properties: path: pattern: ^\/+.*[^\/]$ type: string type: object type: array message: type: string protocol: pattern: (icmp|ICMP|tcp|TCP|udp|UDP|raw|RAW)$ type: string severity: maximum: 10 minimum: 1 type: integer tags: items: type: string type: array required: - fromSource - protocol type: object type: array message: type: string severity: maximum: 10 minimum: 1 type: integer tags: items: type: string type: array required: - matchProtocols type: object nodeSelector: properties: matchLabels: additionalProperties: type: string type: object type: object process: properties: action: enum: - Allow - Audit - Block type: string matchDirectories: items: properties: action: enum: - Allow - Audit - Block type: string dir: pattern: ^\/$|^\/.*\/$ type: string fromSource: items: properties: path: pattern: ^\/+.*[^\/]$ type: string type: object type: array message: type: string ownerOnly: type: boolean recursive: type: boolean severity: maximum: 10 minimum: 1 type: integer tags: items: type: string type: array required: - dir type: object type: array matchPaths: items: properties: action: enum: - Allow - Audit - Block type: string fromSource: items: properties: path: pattern: ^\/+.*[^\/]$ type: string type: object type: array message: type: string ownerOnly: type: boolean path: pattern: ^\/+.*[^\/]$ type: string severity: maximum: 10 minimum: 1 type: integer tags: items: type: string type: array required: - path type: object type: array matchPatterns: items: properties: action: enum: - Allow - Audit - Block type: string message: type: string ownerOnly: type: boolean pattern: type: string severity: maximum: 10 minimum: 1 type: integer tags: items: type: string type: array required: - pattern type: object type: array message: type: string severity: maximum: 10 minimum: 1 type: integer tags: items: type: string type: array type: object severity: maximum: 10 minimum: 1 type: integer tags: items: type: string type: array required: - nodeSelector type: object status: description: KubeArmorHostPolicyStatus defines the observed state of KubeArmorHostPolicy properties: status: type: string type: object type: object served: true storage: true subresources: status: {}