apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.14.0 labels: app: security-profiles-operator name: profilebindings.security-profiles-operator.x-k8s.io spec: group: security-profiles-operator.x-k8s.io names: kind: ProfileBinding listKind: ProfileBindingList plural: profilebindings singular: profilebinding scope: Namespaced versions: - name: v1alpha1 schema: openAPIV3Schema: description: ProfileBinding is the Schema for the profilebindings API. properties: apiVersion: description: |- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: |- Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: description: ProfileBindingSpec defines the desired state of ProfileBinding. properties: image: description: |- Image name within pod containers to match to the profile. Use the "*" string to bind the profile to all pods. type: string profileRef: description: ProfileRef references a SeccompProfile or other profile type in the current namespace. properties: kind: description: Kind of object to be bound. enum: - SeccompProfile - SelinuxProfile type: string name: description: Name of the profile within the current namespace to which to bind the selected pods. type: string required: - kind - name type: object required: - image - profileRef type: object status: description: ProfileBindingStatus contains status of the Profilebinding. properties: activeWorkloads: items: type: string type: array type: object type: object served: true storage: true subresources: status: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.14.0 labels: app: security-profiles-operator name: profilerecordings.security-profiles-operator.x-k8s.io spec: group: security-profiles-operator.x-k8s.io names: kind: ProfileRecording listKind: ProfileRecordingList plural: profilerecordings singular: profilerecording scope: Namespaced versions: - additionalPrinterColumns: - jsonPath: .spec.podSelector name: PodSelector priority: 10 type: string name: v1alpha1 schema: openAPIV3Schema: description: ProfileRecording is the Schema for the profilerecordings API. properties: apiVersion: description: |- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: |- Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: description: ProfileRecordingSpec defines the desired state of ProfileRecording. properties: containers: description: |- Containers is a set of containers to record. This allows to select only specific containers to record instead of all containers present in the pod. items: type: string type: array disableProfileAfterRecording: default: false description: |- DisableProfileAfterRecording indicates whether the profile should be disabled after recording and thus skipped during reconcile. In case of SELinux profiles, reconcile can take a significant amount of time and for all profiles might not be needed. This Defaults to false. type: boolean kind: description: Kind of object to be recorded. enum: - SeccompProfile - SelinuxProfile - ApparmorProfile type: string mergeStrategy: default: none description: |- Whether or how to merge recorded profiles. Can be one of "none" or "containers". Default is "none". enum: - none - containers type: string podSelector: description: |- PodSelector selects the pods to record. This field follows standard label selector semantics. An empty podSelector matches all pods in this namespace. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: description: |- A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: description: |- operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: description: |- values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array required: - key - operator type: object type: array matchLabels: additionalProperties: type: string description: |- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic recorder: description: Recorder to be used. enum: - bpf - logs type: string required: - kind - podSelector - recorder type: object status: description: ProfileRecordingStatus contains status of the ProfileRecording. properties: activeWorkloads: items: type: string type: array type: object type: object served: true storage: true subresources: status: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.14.0 labels: app: security-profiles-operator name: seccompprofiles.security-profiles-operator.x-k8s.io spec: group: security-profiles-operator.x-k8s.io names: kind: SeccompProfile listKind: SeccompProfileList plural: seccompprofiles shortNames: - sp singular: seccompprofile scope: Namespaced versions: - additionalPrinterColumns: - jsonPath: .status.status name: Status type: string - jsonPath: .metadata.creationTimestamp name: Age type: date - jsonPath: .status.localhostProfile name: LocalhostProfile priority: 10 type: string name: v1beta1 schema: openAPIV3Schema: description: |- SeccompProfile is a cluster level specification for a seccomp profile. See https://github.com/opencontainers/runtime-spec/blob/master/config-linux.md#seccomp properties: apiVersion: description: |- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: |- Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: description: SeccompProfileSpec defines the desired state of SeccompProfile. properties: architectures: description: the architecture used for system calls items: enum: - SCMP_ARCH_NATIVE - SCMP_ARCH_X86 - SCMP_ARCH_X86_64 - SCMP_ARCH_X32 - SCMP_ARCH_ARM - SCMP_ARCH_AARCH64 - SCMP_ARCH_MIPS - SCMP_ARCH_MIPS64 - SCMP_ARCH_MIPS64N32 - SCMP_ARCH_MIPSEL - SCMP_ARCH_MIPSEL64 - SCMP_ARCH_MIPSEL64N32 - SCMP_ARCH_PPC - SCMP_ARCH_PPC64 - SCMP_ARCH_PPC64LE - SCMP_ARCH_S390 - SCMP_ARCH_S390X - SCMP_ARCH_PARISC - SCMP_ARCH_PARISC64 - SCMP_ARCH_RISCV64 type: string type: array baseProfileName: description: |- BaseProfileName is the name of base profile (in the same namespace) that will be unioned into this profile. Base profiles can be references as remote OCI artifacts as well when prefixed with `oci://`. type: string defaultAction: description: the default action for seccomp enum: - SCMP_ACT_KILL - SCMP_ACT_KILL_PROCESS - SCMP_ACT_KILL_THREAD - SCMP_ACT_TRAP - SCMP_ACT_ERRNO - SCMP_ACT_TRACE - SCMP_ACT_ALLOW - SCMP_ACT_LOG - SCMP_ACT_NOTIFY type: string disabled: default: false description: Whether the profile is disabled and should be skipped during reconciliation. type: boolean flags: description: list of flags to use with seccomp(2) items: enum: - SECCOMP_FILTER_FLAG_TSYNC - SECCOMP_FILTER_FLAG_LOG - SECCOMP_FILTER_FLAG_SPEC_ALLOW - SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV type: string type: array listenerMetadata: description: opaque data to pass to the seccomp agent type: string listenerPath: description: path of UNIX domain socket to contact a seccomp agent for SCMP_ACT_NOTIFY type: string syscalls: description: |- match a syscall in seccomp. While this property is OPTIONAL, some values of defaultAction are not useful without syscalls entries. For example, if defaultAction is SCMP_ACT_KILL and syscalls is empty or unset, the kernel will kill the container process on its first syscall items: description: Syscall defines a syscall in seccomp. properties: action: description: the action for seccomp rules enum: - SCMP_ACT_KILL - SCMP_ACT_KILL_PROCESS - SCMP_ACT_KILL_THREAD - SCMP_ACT_TRAP - SCMP_ACT_ERRNO - SCMP_ACT_TRACE - SCMP_ACT_ALLOW - SCMP_ACT_LOG - SCMP_ACT_NOTIFY type: string args: description: the specific syscall in seccomp items: description: Arg defines the specific syscall in seccomp. properties: index: description: the index for syscall arguments in seccomp minimum: 0 type: integer op: description: the operator for syscall arguments in seccomp enum: - SCMP_CMP_NE - SCMP_CMP_LT - SCMP_CMP_LE - SCMP_CMP_EQ - SCMP_CMP_GE - SCMP_CMP_GT - SCMP_CMP_MASKED_EQ type: string value: description: the value for syscall arguments in seccomp format: int64 minimum: 0 type: integer valueTwo: description: the value for syscall arguments in seccomp format: int64 minimum: 0 type: integer required: - index - op type: object maxItems: 6 type: array errnoRet: description: |- the errno return code to use. Some actions like SCMP_ACT_ERRNO and SCMP_ACT_TRACE allow to specify the errno code to return type: integer names: description: the names of the syscalls items: type: string type: array required: - action - names type: object type: array required: - defaultAction type: object status: description: SeccompProfileStatus contains status of the deployed SeccompProfile. properties: activeWorkloads: items: type: string type: array conditions: description: Conditions of the resource. items: description: A Condition that may apply to a resource. properties: lastTransitionTime: description: |- LastTransitionTime is the last time this condition transitioned from one status to another. format: date-time type: string message: description: |- A Message containing details about this condition's last transition from one status to another, if any. type: string reason: description: A Reason for this condition's last transition from one status to another. type: string status: description: Status of this condition; is it currently True, False, or Unknown? type: string type: description: |- Type of this condition. At most one of each condition type may apply to a resource at any point in time. type: string required: - lastTransitionTime - reason - status - type type: object type: array localhostProfile: description: |- The path that should be provided to the `securityContext.seccompProfile.localhostProfile` field of a Pod or container spec type: string path: type: string status: description: |- ProfileState defines the state that the profile is in. A profile in this context refers to a SeccompProfile or a SELinux profile, the states are shared between them as well as the management API. type: string type: object type: object served: true storage: true subresources: status: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.14.0 labels: app: security-profiles-operator name: securityprofilenodestatuses.security-profiles-operator.x-k8s.io spec: group: security-profiles-operator.x-k8s.io names: kind: SecurityProfileNodeStatus listKind: SecurityProfileNodeStatusList plural: securityprofilenodestatuses shortNames: - spns singular: securityprofilenodestatus scope: Namespaced versions: - additionalPrinterColumns: - jsonPath: .status name: Status type: string - jsonPath: .metadata.creationTimestamp name: Age type: date - jsonPath: .nodeName name: Node priority: 10 type: string name: v1alpha1 schema: openAPIV3Schema: description: SecurityProfileNodeStatus is a per-node status of a security profile properties: apiVersion: description: |- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: |- Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object nodeName: type: string spec: type: object status: description: |- ProfileState defines the state that the profile is in. A profile in this context refers to a SeccompProfile or a SELinux profile, the states are shared between them as well as the management API. type: string required: - nodeName type: object served: true storage: true subresources: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.14.0 labels: app: security-profiles-operator name: securityprofilesoperatordaemons.security-profiles-operator.x-k8s.io spec: group: security-profiles-operator.x-k8s.io names: kind: SecurityProfilesOperatorDaemon listKind: SecurityProfilesOperatorDaemonList plural: securityprofilesoperatordaemons shortNames: - spod singular: securityprofilesoperatordaemon scope: Namespaced versions: - additionalPrinterColumns: - jsonPath: .status.state name: State type: string name: v1alpha1 schema: openAPIV3Schema: description: SecurityProfilesOperatorDaemon is the Schema to configure the spod deployment. properties: apiVersion: description: |- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: |- Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: description: SPODStatus defines the desired state of SPOD. properties: affinity: description: Affinity if specified, the SPOD's affinity. properties: nodeAffinity: description: Describes node affinity scheduling rules for the pod. properties: preferredDuringSchedulingIgnoredDuringExecution: description: |- The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred. items: description: |- An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). properties: preference: description: A node selector term, associated with the corresponding weight. properties: matchExpressions: description: A list of node selector requirements by node's labels. items: description: |- A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: description: |- Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: description: |- An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. items: type: string type: array required: - key - operator type: object type: array matchFields: description: A list of node selector requirements by node's fields. items: description: |- A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: description: |- Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: description: |- An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. items: type: string type: array required: - key - operator type: object type: array type: object x-kubernetes-map-type: atomic weight: description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. format: int32 type: integer required: - preference - weight type: object type: array requiredDuringSchedulingIgnoredDuringExecution: description: |- If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node. properties: nodeSelectorTerms: description: Required. A list of node selector terms. The terms are ORed. items: description: |- A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. properties: matchExpressions: description: A list of node selector requirements by node's labels. items: description: |- A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: description: |- Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: description: |- An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. items: type: string type: array required: - key - operator type: object type: array matchFields: description: A list of node selector requirements by node's fields. items: description: |- A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: description: The label key that the selector applies to. type: string operator: description: |- Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: description: |- An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. items: type: string type: array required: - key - operator type: object type: array type: object x-kubernetes-map-type: atomic type: array required: - nodeSelectorTerms type: object x-kubernetes-map-type: atomic type: object podAffinity: description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). properties: preferredDuringSchedulingIgnoredDuringExecution: description: |- The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. items: description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) properties: podAffinityTerm: description: Required. A pod affinity term, associated with the corresponding weight. properties: labelSelector: description: |- A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: description: |- A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: description: |- operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: description: |- values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array required: - key - operator type: object type: array matchLabels: additionalProperties: type: string description: |- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic matchLabelKeys: description: |- MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. items: type: string type: array x-kubernetes-list-type: atomic mismatchLabelKeys: description: |- MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. items: type: string type: array x-kubernetes-list-type: atomic namespaceSelector: description: |- A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: description: |- A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: description: |- operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: description: |- values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array required: - key - operator type: object type: array matchLabels: additionalProperties: type: string description: |- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: description: |- namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: description: |- This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. type: string required: - topologyKey type: object weight: description: |- weight associated with matching the corresponding podAffinityTerm, in the range 1-100. format: int32 type: integer required: - podAffinityTerm - weight type: object type: array requiredDuringSchedulingIgnoredDuringExecution: description: |- If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. items: description: |- Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running properties: labelSelector: description: |- A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: description: |- A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: description: |- operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: description: |- values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array required: - key - operator type: object type: array matchLabels: additionalProperties: type: string description: |- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic matchLabelKeys: description: |- MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. items: type: string type: array x-kubernetes-list-type: atomic mismatchLabelKeys: description: |- MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. items: type: string type: array x-kubernetes-list-type: atomic namespaceSelector: description: |- A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: description: |- A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: description: |- operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: description: |- values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array required: - key - operator type: object type: array matchLabels: additionalProperties: type: string description: |- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: description: |- namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: description: |- This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. type: string required: - topologyKey type: object type: array type: object podAntiAffinity: description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). properties: preferredDuringSchedulingIgnoredDuringExecution: description: |- The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. items: description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) properties: podAffinityTerm: description: Required. A pod affinity term, associated with the corresponding weight. properties: labelSelector: description: |- A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: description: |- A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: description: |- operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: description: |- values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array required: - key - operator type: object type: array matchLabels: additionalProperties: type: string description: |- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic matchLabelKeys: description: |- MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. items: type: string type: array x-kubernetes-list-type: atomic mismatchLabelKeys: description: |- MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. items: type: string type: array x-kubernetes-list-type: atomic namespaceSelector: description: |- A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: description: |- A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: description: |- operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: description: |- values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array required: - key - operator type: object type: array matchLabels: additionalProperties: type: string description: |- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: description: |- namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: description: |- This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. type: string required: - topologyKey type: object weight: description: |- weight associated with matching the corresponding podAffinityTerm, in the range 1-100. format: int32 type: integer required: - podAffinityTerm - weight type: object type: array requiredDuringSchedulingIgnoredDuringExecution: description: |- If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. items: description: |- Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running properties: labelSelector: description: |- A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: description: |- A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: description: |- operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: description: |- values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array required: - key - operator type: object type: array matchLabels: additionalProperties: type: string description: |- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic matchLabelKeys: description: |- MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. items: type: string type: array x-kubernetes-list-type: atomic mismatchLabelKeys: description: |- MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. items: type: string type: array x-kubernetes-list-type: atomic namespaceSelector: description: |- A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: description: |- A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: description: |- operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: description: |- values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array required: - key - operator type: object type: array matchLabels: additionalProperties: type: string description: |- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: description: |- namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: description: |- This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. type: string required: - topologyKey type: object type: array type: object type: object allowedSeccompActions: description: AllowedSeccompActions if specified, a list of allowed seccomp actions. items: description: Action taken upon Seccomp rule match type: string type: array allowedSyscalls: description: |- AllowedSyscalls if specified, a list of system calls which are allowed in seccomp profiles. items: type: string type: array daemonResourceRequirements: description: |- DaemonResourceRequirements if defined, overwrites the default resource requirements of SPOD daemon. properties: claims: description: |- Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container. This is an alpha field and requires enabling the DynamicResourceAllocation feature gate. This field is immutable. It can only be set for containers. items: description: ResourceClaim references one entry in PodSpec.ResourceClaims. properties: name: description: |- Name must match the name of one entry in pod.spec.resourceClaims of the Pod where this field is used. It makes that resource available inside a container. type: string required: - name type: object type: array x-kubernetes-list-map-keys: - name x-kubernetes-list-type: map limits: additionalProperties: anyOf: - type: integer - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true description: |- Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object requests: additionalProperties: anyOf: - type: integer - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true description: |- Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object disableOciArtifactSignatureVerification: description: |- DisableOCIArtifactSignatureVerification can be used to disable OCI artifact signature verification. type: boolean enableAppArmor: description: |- tells the operator whether or not to enable AppArmor support for this SPOD instance. type: boolean enableBpfRecorder: description: |- tells the operator whether or not to enable bpf recorder support for this SPOD instance. type: boolean enableLogEnricher: description: |- tells the operator whether or not to enable log enrichment support for this SPOD instance. type: boolean enableMemoryOptimization: description: |- EnableMemoryOptimization enables memory optimization in the controller running inside of SPOD instance and watching for pods in the cluster. This will make the controller loading in the cache memory only the pods labelled explicitly for profile recording with 'spo.x-k8s.io/enable-recording=true'. type: boolean enableProfiling: description: |- EnableProfiling tells the operator whether or not to enable profiling support for this SPOD instance. type: boolean enableSelinux: description: |- tells the operator whether or not to enable SELinux support for this SPOD instance. type: boolean hostProcVolumePath: description: |- HostProcVolumePath is the path for specifying a custom host /proc volume, which is required for the log-enricher as well as bpf-recorder to retrieve the container ID for a process ID. This can be helpful for nested environments, for example when using "kind". type: string imagePullSecrets: description: |- ImagePullSecrets if defined, list of references to secrets in the security-profiles-operator's namespace to use for pulling the images from SPOD pod from a private registry. items: description: |- LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace. properties: name: description: |- Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic type: array priorityClassName: default: system-node-critical description: PriorityClassName if defined, indicates the spod pod priority class. type: string selinuxOptions: description: |- Defines options specific to the SELinux functionality of the SecurityProfilesOperator properties: allowedSystemProfiles: default: - container description: |- Lists the profiles coming from the system itself that are allowed to be inherited by workloads. Use this with care, as this might provide a lot of permissions depending on the policy. items: type: string type: array type: object selinuxTypeTag: default: spc_t description: If specified, the SELinux type tag applied to the security context of SPOD. type: string staticWebhookConfig: description: |- StaticWebhookConfig indicates whether the webhook configuration and its related resources are statically deployed. In this case, the operator will not create or update the webhook configuration and its related resources. type: boolean tolerations: description: If specified, the SPOD's tolerations. items: description: |- The pod this Toleration is attached to tolerates any taint that matches the triple using the matching operator . properties: effect: description: |- Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. type: string key: description: |- Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. type: string operator: description: |- Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. type: string tolerationSeconds: description: |- TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. format: int64 type: integer value: description: |- Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. type: string type: object type: array verbosity: description: Verbosity specifies the logging verbosity of the daemon. type: integer webhookOptions: description: |- WebhookOpts set custom namespace selectors and failure mode for SPO's webhooks items: properties: failurePolicy: description: FailurePolicy sets the webhook failure policy type: string name: description: Name specifies which webhook do we configure type: string namespaceSelector: description: NamespaceSelector sets webhook's namespace selector properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: description: |- A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: description: |- operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: description: |- values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array required: - key - operator type: object type: array matchLabels: additionalProperties: type: string description: |- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic objectSelector: description: ObjectSelector sets webhook's object selector properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: description: |- A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: description: |- operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: description: |- values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array required: - key - operator type: object type: array matchLabels: additionalProperties: type: string description: |- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object type: array type: object status: description: SPODStatus defines the observed state of SPOD. properties: conditions: description: Conditions of the resource. items: description: A Condition that may apply to a resource. properties: lastTransitionTime: description: |- LastTransitionTime is the last time this condition transitioned from one status to another. format: date-time type: string message: description: |- A Message containing details about this condition's last transition from one status to another, if any. type: string reason: description: A Reason for this condition's last transition from one status to another. type: string status: description: Status of this condition; is it currently True, False, or Unknown? type: string type: description: |- Type of this condition. At most one of each condition type may apply to a resource at any point in time. type: string required: - lastTransitionTime - reason - status - type type: object type: array state: description: |- Represents the state that the policy is in. Can be: PENDING, IN-PROGRESS, RUNNING or ERROR type: string type: object type: object served: true storage: true subresources: status: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.14.0 labels: app: security-profiles-operator name: rawselinuxprofiles.security-profiles-operator.x-k8s.io spec: group: security-profiles-operator.x-k8s.io names: kind: RawSelinuxProfile listKind: RawSelinuxProfileList plural: rawselinuxprofiles singular: rawselinuxprofile scope: Namespaced versions: - additionalPrinterColumns: - jsonPath: .status.usage name: Usage type: string - jsonPath: .status.status name: State type: string name: v1alpha2 schema: openAPIV3Schema: description: RawSelinuxProfile is the Schema for the rawselinuxprofiles API. properties: apiVersion: description: |- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: |- Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: description: RawSelinuxProfileSpec defines the desired state of RawSelinuxProfile. properties: disabled: default: false description: Whether the profile is disabled and should be skipped during reconciliation. type: boolean policy: type: string type: object status: description: SelinuxProfileStatus defines the observed state of SelinuxProfile. properties: activeWorkloads: items: type: string type: array conditions: description: Conditions of the resource. items: description: A Condition that may apply to a resource. properties: lastTransitionTime: description: |- LastTransitionTime is the last time this condition transitioned from one status to another. format: date-time type: string message: description: |- A Message containing details about this condition's last transition from one status to another, if any. type: string reason: description: A Reason for this condition's last transition from one status to another. type: string status: description: Status of this condition; is it currently True, False, or Unknown? type: string type: description: |- Type of this condition. At most one of each condition type may apply to a resource at any point in time. type: string required: - lastTransitionTime - reason - status - type type: object type: array status: description: |- ProfileState defines the state that the profile is in. A profile in this context refers to a SeccompProfile or a SELinux profile, the states are shared between them as well as the management API. type: string usage: description: |- Represents the string that the SelinuxProfile object can be referenced as in a pod seLinuxOptions section. type: string type: object type: object served: true storage: true subresources: status: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.14.0 labels: app: security-profiles-operator name: selinuxprofiles.security-profiles-operator.x-k8s.io spec: group: security-profiles-operator.x-k8s.io names: kind: SelinuxProfile listKind: SelinuxProfileList plural: selinuxprofiles singular: selinuxprofile scope: Namespaced versions: - additionalPrinterColumns: - jsonPath: .status.usage name: Usage type: string - jsonPath: .status.status name: State type: string name: v1alpha2 schema: openAPIV3Schema: description: SelinuxProfile is the Schema for the selinuxprofiles API. properties: apiVersion: description: |- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: |- Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: description: SelinuxProfileSpec defines the desired state of SelinuxProfile. properties: allow: additionalProperties: additionalProperties: items: type: string type: array type: object description: Defines the allow policy for the profile type: object disabled: default: false description: Whether the profile is disabled and should be skipped during reconciliation. type: boolean inherit: default: - kind: System name: container description: |- A SELinuxProfile or set of profiles that this inherits from. Note that they need to be in the same namespace. items: properties: kind: default: System description: |- The Kind of the policy that this inherits from. Can be a SelinuxProfile object Or "System" if an already installed policy will be used. The allowed "System" policies are available in the SecurityProfilesOperatorDaemon instance. enum: - System - SelinuxProfile type: string name: description: The name of the policy that this inherits from. type: string required: - name type: object type: array permissive: default: false description: |- Permissive, when true will cause the SELinux profile to only log violations instead of enforcing them. type: boolean type: object status: description: SelinuxProfileStatus defines the observed state of SelinuxProfile. properties: activeWorkloads: items: type: string type: array conditions: description: Conditions of the resource. items: description: A Condition that may apply to a resource. properties: lastTransitionTime: description: |- LastTransitionTime is the last time this condition transitioned from one status to another. format: date-time type: string message: description: |- A Message containing details about this condition's last transition from one status to another, if any. type: string reason: description: A Reason for this condition's last transition from one status to another. type: string status: description: Status of this condition; is it currently True, False, or Unknown? type: string type: description: |- Type of this condition. At most one of each condition type may apply to a resource at any point in time. type: string required: - lastTransitionTime - reason - status - type type: object type: array status: description: |- ProfileState defines the state that the profile is in. A profile in this context refers to a SeccompProfile or a SELinux profile, the states are shared between them as well as the management API. type: string usage: description: |- Represents the string that the SelinuxProfile object can be referenced as in a pod seLinuxOptions section. type: string type: object type: object served: true storage: true subresources: status: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.8.0 creationTimestamp: null labels: app: security-profiles-operator name: apparmorprofiles.security-profiles-operator.x-k8s.io spec: group: security-profiles-operator.x-k8s.io names: kind: AppArmorProfile listKind: AppArmorProfileList plural: apparmorprofiles shortNames: - aa singular: apparmorprofile scope: Namespaced versions: - name: v1alpha1 schema: openAPIV3Schema: description: AppArmorProfile is the Schema for the apparmorprofiles API properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: description: AppArmorProfileSpec defines the desired state of AppArmorProfile properties: policy: type: string required: - policy type: object status: description: AppArmorProfileStatus defines the observed state of AppArmorProfile type: object type: object served: true storage: true subresources: status: {} status: acceptedNames: kind: "" plural: "" conditions: [] storedVersions: [] --- apiVersion: v1 kind: Namespace metadata: labels: app: security-profiles-operator openshift.io/cluster-monitoring: "true" pod-security.kubernetes.io/audit: privileged pod-security.kubernetes.io/enforce: privileged pod-security.kubernetes.io/warn: privileged name: security-profiles-operator --- apiVersion: v1 kind: ServiceAccount metadata: labels: app: security-profiles-operator name: security-profiles-operator namespace: security-profiles-operator --- apiVersion: v1 kind: ServiceAccount metadata: labels: app: security-profiles-operator name: spod namespace: security-profiles-operator --- apiVersion: v1 kind: ServiceAccount metadata: labels: app: security-profiles-operator name: spo-webhook namespace: security-profiles-operator --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: app: security-profiles-operator name: security-profiles-operator rules: - apiGroups: - "" resourceNames: - security-profiles-operator-profile resources: - configmaps verbs: - get - apiGroups: - "" resources: - nodes verbs: - get - list - watch - apiGroups: - "" resources: - services verbs: - create - get - list - patch - update - watch - apiGroups: - admissionregistration.k8s.io resources: - mutatingwebhookconfigurations verbs: - create - get - list - patch - update - watch - apiGroups: - apps resources: - daemonsets - deployments verbs: - create - get - list - patch - update - watch - apiGroups: - apps resources: - daemonsets/finalizers - deployments verbs: - delete - get - patch - update - apiGroups: - apps resources: - deployments verbs: - get - list - watch - apiGroups: - cert-manager.io resources: - certificates - issuers verbs: - create - get - list - patch - update - watch - apiGroups: - config.openshift.io resources: - clusteroperators verbs: - get - list - watch - apiGroups: - "" resources: - events verbs: - create - apiGroups: - "" resources: - pods verbs: - get - list - watch - apiGroups: - monitoring.coreos.com resources: - servicemonitors verbs: - create - get - list - patch - update - watch - apiGroups: - security-profiles-operator.x-k8s.io resources: - profilerecordings verbs: - get - list - watch - apiGroups: - security-profiles-operator.x-k8s.io resources: - profilerecordings/finalizers verbs: - get - list - watch - apiGroups: - security-profiles-operator.x-k8s.io resources: - rawselinuxprofiles verbs: - create - get - list - patch - update - watch - apiGroups: - security-profiles-operator.x-k8s.io resources: - rawselinuxprofiles/finalizers verbs: - delete - get - patch - update - apiGroups: - security-profiles-operator.x-k8s.io resources: - rawselinuxprofiles/status verbs: - get - patch - update - apiGroups: - security-profiles-operator.x-k8s.io resources: - seccompprofiles verbs: - create - delete - deletecollection - get - list - patch - update - watch - apiGroups: - security-profiles-operator.x-k8s.io resources: - seccompprofiles/finalizers verbs: - delete - get - patch - update - apiGroups: - security-profiles-operator.x-k8s.io resources: - seccompprofiles/status verbs: - get - patch - update - apiGroups: - security-profiles-operator.x-k8s.io resources: - securityprofilenodestatuses verbs: - delete - get - list - watch - apiGroups: - security-profiles-operator.x-k8s.io resources: - securityprofilesoperatordaemons verbs: - create - get - list - update - watch - apiGroups: - security-profiles-operator.x-k8s.io resources: - securityprofilesoperatordaemons/finalizers verbs: - delete - get - patch - update - apiGroups: - security-profiles-operator.x-k8s.io resources: - securityprofilesoperatordaemons/status verbs: - get - patch - update - apiGroups: - security-profiles-operator.x-k8s.io resources: - selinuxprofiles verbs: - create - delete - deletecollection - get - list - patch - update - watch - apiGroups: - security-profiles-operator.x-k8s.io resources: - selinuxprofiles/finalizers verbs: - delete - get - patch - update - apiGroups: - security-profiles-operator.x-k8s.io resources: - selinuxprofiles/status verbs: - get - patch - update --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: labels: app: security-profiles-operator name: security-profiles-operator namespace: security-profiles-operator rules: - apiGroups: - coordination.k8s.io resources: - leases verbs: - create - get - update - apiGroups: - security.openshift.io resources: - securitycontextconstraints verbs: - use --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: app: security-profiles-operator name: spod rules: - apiGroups: - authentication.k8s.io resources: - subjectaccessreviews - tokenreviews verbs: - create - apiGroups: - authorization.k8s.io resources: - subjectaccessreviews verbs: - create - apiGroups: - "" resources: - events verbs: - create - get - patch - update - apiGroups: - "" resources: - nodes verbs: - get - list - watch - apiGroups: - "" resources: - pods verbs: - get - list - watch - apiGroups: - security-profiles-operator.x-k8s.io resources: - apparmorprofiles verbs: - create - get - list - patch - update - watch - apiGroups: - security-profiles-operator.x-k8s.io resources: - apparmorprofiles/finalizers verbs: - delete - get - patch - update - apiGroups: - security-profiles-operator.x-k8s.io resources: - apparmorprofiles/status verbs: - get - patch - update - apiGroups: - security-profiles-operator.x-k8s.io resources: - profilerecordings verbs: - get - list - patch - update - watch - apiGroups: - security-profiles-operator.x-k8s.io resources: - rawselinuxprofiles verbs: - create - get - list - patch - update - watch - apiGroups: - security-profiles-operator.x-k8s.io resources: - rawselinuxprofiles/finalizers verbs: - delete - get - patch - update - apiGroups: - security-profiles-operator.x-k8s.io resources: - rawselinuxprofiles/status verbs: - get - patch - update - apiGroups: - security-profiles-operator.x-k8s.io resources: - seccompprofiles verbs: - create - delete - get - list - patch - update - watch - apiGroups: - security-profiles-operator.x-k8s.io resources: - seccompprofiles/finalizers verbs: - delete - get - patch - update - apiGroups: - security-profiles-operator.x-k8s.io resources: - seccompprofiles/status verbs: - get - patch - update - apiGroups: - security-profiles-operator.x-k8s.io resources: - securityprofilenodestatuses verbs: - create - delete - get - list - patch - update - watch - apiGroups: - security-profiles-operator.x-k8s.io resources: - securityprofilesoperatordaemons verbs: - get - list - watch - apiGroups: - security-profiles-operator.x-k8s.io resources: - selinuxprofiles verbs: - create - get - list - patch - update - watch - apiGroups: - security-profiles-operator.x-k8s.io resources: - selinuxprofiles/finalizers verbs: - delete - get - patch - update - apiGroups: - security-profiles-operator.x-k8s.io resources: - selinuxprofiles/status verbs: - get - patch - update --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: labels: app: security-profiles-operator name: spod namespace: security-profiles-operator rules: - apiGroups: - security.openshift.io resources: - securitycontextconstraints verbs: - use --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: app: security-profiles-operator name: spo-webhook rules: - apiGroups: - "" resources: - events verbs: - create - apiGroups: - "" resources: - pods verbs: - get - list - watch - apiGroups: - security-profiles-operator.x-k8s.io resources: - profilebindings verbs: - create - get - list - patch - update - watch - apiGroups: - security-profiles-operator.x-k8s.io resources: - profilebindings/finalizers verbs: - delete - get - patch - update - apiGroups: - security-profiles-operator.x-k8s.io resources: - profilebindings/status verbs: - get - patch - update - apiGroups: - security-profiles-operator.x-k8s.io resources: - profilerecordings verbs: - create - get - list - patch - update - watch - apiGroups: - security-profiles-operator.x-k8s.io resources: - profilerecordings/finalizers verbs: - delete - get - patch - update - apiGroups: - security-profiles-operator.x-k8s.io resources: - profilerecordings/status verbs: - get - patch - update - apiGroups: - security-profiles-operator.x-k8s.io resources: - seccompprofiles verbs: - get - list - watch - apiGroups: - security-profiles-operator.x-k8s.io resources: - selinuxprofiles verbs: - get - list - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: labels: app: security-profiles-operator name: spo-webhook namespace: security-profiles-operator rules: - apiGroups: - coordination.k8s.io resources: - leases verbs: - create - apiGroups: - coordination.k8s.io resourceNames: - security-profiles-operator-webhook-lock resources: - leases verbs: - get - patch - update - apiGroups: - security.openshift.io resources: - securitycontextconstraints verbs: - use --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: app: security-profiles-operator name: security-profiles-operator roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: security-profiles-operator subjects: - kind: ServiceAccount name: security-profiles-operator namespace: security-profiles-operator --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: app: security-profiles-operator name: security-profiles-operator namespace: security-profiles-operator roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: security-profiles-operator subjects: - kind: ServiceAccount name: security-profiles-operator --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: app: security-profiles-operator name: spod roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: spod subjects: - kind: ServiceAccount name: spod namespace: security-profiles-operator --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: app: security-profiles-operator name: spod namespace: security-profiles-operator roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: spod subjects: - kind: ServiceAccount name: spod namespace: security-profiles-operator --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: app: security-profiles-operator name: spo-webhook roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: spo-webhook subjects: - kind: ServiceAccount name: spo-webhook namespace: security-profiles-operator --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: app: security-profiles-operator name: spo-webhook namespace: security-profiles-operator roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: spo-webhook subjects: - kind: ServiceAccount name: spo-webhook --- apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: labels: app: security-profiles-operator name: spo-mutating-webhook-configuration --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: app: security-profiles-operator name: spo-metrics-client rules: - nonResourceURLs: - /metrics - /metrics-spod verbs: - get --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: app: security-profiles-operator name: spo-metrics-client roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: spo-metrics-client subjects: - kind: ServiceAccount name: default namespace: security-profiles-operator --- apiVersion: v1 kind: Secret metadata: annotations: kubernetes.io/service-account.name: default labels: app: security-profiles-operator name: metrics-token namespace: security-profiles-operator type: kubernetes.io/service-account-token --- apiVersion: v1 data: security-profiles-operator.json: | { "defaultAction": "SCMP_ACT_ERRNO", "architectures": [ "SCMP_ARCH_X86_64", "SCMP_ARCH_X86", "SCMP_ARCH_X32", "SCMP_ARCH_AARCH64" ], "syscalls": [ { "names": [ "accept4", "access", "arch_prctl", "bind", "brk", "capget", "capset", "chdir", "clock_gettime", "clone", "clone3", "close", "connect", "epoll_create1", "epoll_ctl", "epoll_pwait", "epoll_wait", "execve", "exit", "exit_group", "fchown", "fcntl", "flock", "fstat", "fstatfs", "fsync", "futex", "getcwd", "getdents64", "getgid", "getpeername", "getpgrp", "getpid", "getppid", "getrandom", "getrlimit", "getsockname", "getsockopt", "gettid", "getuid", "inotify_add_watch", "inotify_init1", "listen", "lseek", "madvise", "membarrier", "mkdirat", "mlock", "mmap", "mprotect", "munmap", "nanosleep", "newfstatat", "open", "openat", "pipe2", "prctl", "pread64", "prlimit64", "read", "readlink", "readlinkat", "renameat", "rseq", "rt_sigaction", "rt_sigprocmask", "rt_sigreturn", "sched_getaffinity", "sched_yield", "set_robust_list", "set_tid_address", "setgid", "setgroups", "setsockopt", "setuid", "sigaltstack", "socket", "tgkill", "time", "uname", "unlinkat", "write" ], "action": "SCMP_ACT_ALLOW" } ] } selinuxd-image-mapping.json: | [ { "regex":"(.*)(CoreOS).*([\\d+])\\.8[\\d+]\\.(.*)", "imageFromVar":"RELATED_IMAGE_SELINUXD_EL8" }, { "regex":"(.*)(CoreOS).*([\\d+])\\.9[\\d+]\\.(.*)", "imageFromVar":"RELATED_IMAGE_SELINUXD_EL9" }, { "regex":"Fedora \\d+", "imageFromVar":"RELATED_IMAGE_SELINUXD_FEDORA" } ] selinuxd.cil: | (block selinuxd (blockinherit container) (allow process process ( capability ( dac_override dac_read_search lease audit_write audit_control ))) (allow process default_context_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) (allow process default_context_t ( fifo_file ( getattr read write append ioctl lock open ))) (allow process default_context_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) (allow process default_context_t ( sock_file ( append getattr open read write ))) (allow process etc_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write watch ))) (allow process etc_t ( fifo_file ( getattr read write append ioctl lock open ))) (allow process etc_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) (allow process etc_t ( sock_file ( append getattr open read write ))) (allow process file_context_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) (allow process file_context_t ( fifo_file ( getattr read write append ioctl lock open ))) (allow process file_context_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) (allow process file_context_t ( sock_file ( append getattr open read write ))) (allow process security_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) (allow process security_t ( security ( load_policy ))) (allow process selinux_config_t ( dir ( add_name create getattr ioctl lock open read remove_name rename rmdir search setattr write ))) (allow process selinux_config_t ( fifo_file ( getattr read write append ioctl lock open ))) (allow process selinux_config_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) (allow process selinux_config_t ( sock_file ( append getattr open read write ))) (allow process selinux_login_config_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) (allow process selinux_login_config_t ( fifo_file ( getattr read write append ioctl lock open ))) (allow process selinux_login_config_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) (allow process selinux_login_config_t ( sock_file ( append getattr open read write ))) (allow process semanage_read_lock_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) (allow process semanage_read_lock_t ( fifo_file ( getattr read write append ioctl lock open ))) (allow process semanage_read_lock_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) (allow process semanage_read_lock_t ( sock_file ( append getattr open read write ))) (allow process semanage_store_t ( dir ( add_name create getattr ioctl lock open read rename remove_name rmdir search setattr write ))) (allow process semanage_store_t ( fifo_file ( getattr read write append ioctl lock open ))) (allow process semanage_store_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) (allow process semanage_store_t ( sock_file ( append getattr open read write ))) (allow process semanage_trans_lock_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) (allow process semanage_trans_lock_t ( fifo_file ( getattr read write append ioctl lock open ))) (allow process semanage_trans_lock_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) (allow process semanage_trans_lock_t ( sock_file ( append getattr open read write ))) (allow process sysfs_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) (allow process sysfs_t ( fifo_file ( getattr read write append ioctl lock open ))) (allow process sysfs_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) (allow process sysfs_t ( sock_file ( append getattr open read write ))) ) selinuxrecording.cil: | (block selinuxrecording (blockinherit container) (typepermissive process) ) kind: ConfigMap metadata: labels: app: security-profiles-operator name: security-profiles-operator-profile namespace: security-profiles-operator --- apiVersion: apps/v1 kind: Deployment metadata: labels: app: security-profiles-operator name: security-profiles-operator namespace: security-profiles-operator spec: replicas: 3 selector: matchLabels: app: security-profiles-operator name: security-profiles-operator template: metadata: labels: app: security-profiles-operator name: security-profiles-operator spec: containers: - args: - manager env: - name: RELATED_IMAGE_RBAC_PROXY value: gcr.io/kubebuilder/kube-rbac-proxy:v0.15.0 - name: RELATED_IMAGE_SELINUXD value: quay.io/security-profiles-operator/selinuxd - name: RELATED_IMAGE_SELINUXD_EL8 value: quay.io/security-profiles-operator/selinuxd-el8:latest - name: RELATED_IMAGE_SELINUXD_EL9 value: quay.io/security-profiles-operator/selinuxd-el9:latest - name: RELATED_IMAGE_SELINUXD_FEDORA value: quay.io/security-profiles-operator/selinuxd-fedora:latest - name: OPERATOR_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: WATCH_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.annotations['olm.targetNamespaces'] - name: NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName - name: KUBELET_DIR value: /var/lib/kubelet image: gcr.io/k8s-staging-sp-operator/security-profiles-operator:latest imagePullPolicy: Always name: security-profiles-operator resources: limits: cpu: 500m memory: 128Mi requests: cpu: 250m memory: 50Mi securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true securityContext: seccompProfile: type: RuntimeDefault serviceAccountName: security-profiles-operator tolerations: - effect: NoSchedule key: node-role.kubernetes.io/master operator: Exists - effect: NoSchedule key: node-role.kubernetes.io/control-plane operator: Exists - effect: NoExecute key: node.kubernetes.io/not-ready operator: Exists