Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add seccomp profile support to PodSecurityContext in Kubernetes for Skuber library #366

Merged
merged 6 commits into from
Feb 29, 2024
Merged

Add seccomp profile support to PodSecurityContext in Kubernetes for Skuber library #366

merged 6 commits into from
Feb 29, 2024

Conversation

Dream1Master
Copy link
Contributor

This pull request adds support for seccomp profiles in Kubernetes PodSecurityContext for the Skuber library. This change is necessary for better security compliance of the Skuber library.

The technical details of this change are as follows:

  • Added a new field to the PodSecurityContext struct in Skuber to support seccomp profiles.
  • Modified json parser to parse seccompProfile field from PodSecurityContext struct

This change is important because it provides better security compliance for the Skuber library. Seccomp profiles restrict the types of system calls that a container can make, reducing the attack surface of the container and improving overall security.

Information about restrict a Container's Syscalls with seccomp available via link https://kubernetes.io/docs/tutorials/security/seccomp/
Linux seccomp overview available via link https://lwn.net/Articles/656307/

Thank you for your time and attention in reviewing this pull request. Please let me know if you have any questions or concerns.

hagay3
hagay3 reviewed Feb 27, 2024
View reviewed changes
client/src/main/scala/skuber/json/package.scala Outdated
case operator => JsError(s"Unknown Seccomp profile '$operator'")
}

case _ => JsError(s"Unknown Seccomp")
Copy link
Owner

@hagay3 hagay3 Feb 27, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please treat the error in a more resilient way, you can return Option[SeccompProfile] and in that case return None
Or you can configure a profile that is "Unknown"

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

replace JsError with "Unknown" profile

hagay3
hagay3 requested changes Feb 27, 2024
View reviewed changes
Copy link
Owner

@hagay3 hagay3 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Dream1Master
Thank you for taking the time and contributing to skuber :)

In addition, if you could invest some time and create an integration test for PodFormat that would be great.
you can take as an example PodFormatSpec integration test under it folder.

hagay3
hagay3 reviewed Feb 27, 2024
View reviewed changes
client/src/main/scala/skuber/json/package.scala Outdated
case Some(JsString("Localhost")) =>
val profileConfigPath: String = fields("localhostProfile").as[String]
JsSuccess(Security.LocalhostProfile(profileConfigPath))
case operator => JsError(s"Unknown Seccomp profile '$operator'")
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

replace JsError with "Unknown" profile

@Dream1Master
Copy link
Contributor Author

@Dream1Master Thank you for taking the time and contributing to skuber :)

In addition, if you could invest some time and create an integration test for PodFormat that would be great. you can take as an example PodFormatSpec integration test under it folder.

I have created integration tests for the PodFormatSpec in the format package, located in the it folder. I would appreciate it if you could take a moment to review the changes and let me know if they meet your expectations.

@hagay3 hagay3 merged commit 075a396 into hagay3:master Feb 29, 2024
10 checks passed
@hagay3
Copy link
Owner

hagay3 commented Mar 4, 2024

@Dream1Master v4.0.3 has been released with seccomp profile

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hagay3 hagay3 hagay3 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Dream1Master @hagay3