Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: add docker-compose file for securing unorchestrated container and hosts #1790

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

chore: add docker-compose file for securing unorchestrated container and hosts #1790

wants to merge 4 commits into from

Conversation

navin772
Copy link
Contributor

Purpose of PR?:

Fixes #1341

Does this PR introduce a breaking change?

If the changes in this PR are manually verified, list down the scenarios covered:
Explicitly adding the capabilities via cap_add and removing the privileged: true field gives error.

Additional information for reviewer? :
Mention if this PR is part of any design or a continuation of previous PRs

Suggest tag to be used for kubearmor/kubearmor image - latest or stable?
Documentation added for docker compose usage.

Checklist:

daemon1024
daemon1024 reviewed Jun 27, 2024
View reviewed changes
docker-compose.yaml Outdated Show resolved Hide resolved
@navin772
remove host and expose ports
e82aabe 
Signed-off-by: Navin Chandra <[email protected]>
@navin772 navin772 requested a review from daemon1024 June 27, 2024 15:38
@daemon1024
Copy link
Member

@navin772 did we test this out? Does everything work as expected? Can you try running your test suite against this?

@navin772
Copy link
Contributor Author

@daemon1024 I will run the tests and share the results, also do we need a CI for docker mode?

@daemon1024
Copy link
Member

@navin772 eventually yes, if you think it's easy to handle let's do it. But let's keep it in a separate PR.

The CI would need to run on BPFLSM runner since we don't have first class AppArmor support

@navin772
remove restart policy
2d5ce42 
it might lead to continuous container spin ups if kubearmor fails to start

Signed-off-by: Navin Chandra <[email protected]>
@navin772
Copy link
Contributor Author

@daemon1024 I tested this on the non-k8s HSP test suite and the tests pass except one (enforcement works but the policy name is not matching).
I haven't included the Allow policies tests which require the host default posture to be Block due to system breaking concerns as discussed in slack.

Currently, just for testing I ran the docker compose file in CI (which pulls the stable images) but we should be building the docker images first and then testing them.
Can you point me to how the kubearmor and kubearmor-init images are created so I can create a CI to test on them?

@navin772
Copy link
Contributor Author

navin772 commented Jul 1, 2024

@navin772 eventually yes, if you think it's easy to handle let's do it. But let's keep it in a separate PR.

The CI would need to run on BPFLSM runner since we don't have first class AppArmor support

@daemon1024 @DelusionalOptimist this is the workflow that I ran to test in docker mode - workflow. I will add the bpflsm runner when I create the PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Aryan-sharma11 Aryan-sharma11 Awaiting requested review from Aryan-sharma11

@DelusionalOptimist DelusionalOptimist Awaiting requested review from DelusionalOptimist

@daemon1024 daemon1024 Awaiting requested review from daemon1024

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Docker Compose Deployment for securing unorchestrated container
2 participants
@navin772 @daemon1024