►
From YouTube: Enhancing Kubernetes with the Security Profiles Operator - Colleen Murphy & Sascha Grunert, Red Hat
Description
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon North America 2021 in Los Angeles, CA from October 12-15. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Enhancing Kubernetes with the Security Profiles Operator - Colleen Murphy & Sascha Grunert, Red Hat
Kubernetes provides ways for container workloads to leverage Linux security features like seccomp, Apparmor, and SELinux, technologies that allow applications to be bound by security profiles that prevent unexpected and malicious behavior. But crafting and deploying these profiles is a manual process that requires administrators to operate directly on the underlying host and end-users to have knowledge of the security configurations of the hosts.
The Security Profiles Operator is an out-of-tree Kubernetes enhancement that provides cloud-native APIs to manage these profiles.
In this session, Colleen and Sascha will discuss how the Security Profiles Operator has evolved. They demonstrate how the project empowers workload security by making seccomp profiles easier to use inside of Kubernetes. Besides that, they will speak about the future of the project, how it may integrate into Kubernetes and what it means to combine profile-based security features managed from one source of truth.
B
B
Secondly,
we
would
like
to
lay
out
the
current
state
of
the
security
profiles
operator,
so
we
will
cover
the
operator
features
in
detail
and
how
they
can
be
used
to
make
workloads
more
secure,
and
then
we
will
see
the
operator
in
action.
So
this
is
time
for
demoing
the
operator,
while
keeping
common
use
cases
in
mind
and
after
that,
last
but
not
least,
we
will
lay
out
our
plan
for
the
future
of
the
project.
B
So,
for
example,
we
will
discuss
our
long-term
goals
and
we'll
leave
some
room
for
some
q
a
session
afterwards
how
to
enhance
default
workload.
Security
in
kubernetes
kubernetes
does
not
provide
strong
security
defaults
out
of
the
box,
so
this
means
that
kubernetes
has
to
be
designed
for
usability
over
security.
So,
for
example,
if
we
decide
to
restrict
the
discourse
of
a
workload,
then
we
can
have
to
keep
in
mind
that
this
may
break
applications,
while
it
makes
others
more
secure
other
than
that
security.
Related
decisions
have
to
be
considered
by
the
system.
B
Administrators,
the
site,
reliability
engineers,
as
well
as
application
developers
and
those
different
roles,
make
it
hard
for
the
community
project
to
decide
which
position
may
be
the
most
important
one
and
which
should
be
considered
as
the
default,
the
security
context
of
kubernetes
or
it's
a
security
configuration
that
will
be
applied
to
a
pod
or
a
container.
So
this
native
api
field
makes
the
usage
of
the
security
feature
comfortable,
because
the
api
server
can
validate
the
fields
directly
by
applying
them
to
the
workload.
A
B
B
B
One
drawback
and
limitation
of
that
is
that
we
don't
have
a
localhost
profile
validation,
so
the
relative
path
is
still
error
prone
and
there
is
no
solution
about
how
to
distribute
second
profiles
to
all
nodes.
Our
second
goal
is
to
increase
the
user.
Adoption
of
the
feature
so
how
to
provide
stronger
defaults
for
second
kubernetes,
can
we
make
the
container
runtime
default
profile
the
need
default
for
all
workloads
or
how
to
distribute
second
profiles
across
thousands
of
nodes?
So
can
administrators
get
a
mechanism
to
easily
distribute
those
second
profiles?
B
And
the
last
question
is
how
to
create
that
composer
for
my
application.
So
is
it
really
necessary
to
collect
all
syscalls
by
hand,
or
is
there
a
way
to
record
profiles?
So
what
do
we
want
to
do?
Let's
write
a
kubernetes
enhancement
proposal.
No
features
can
be
iterated
quickly
out
of
the
kubernetes
source
code
3.,
so
the
development
cycles
can
be
shorter.
We
can
enrich
faster
testing
and
feature.
Graduation
is
even
easier.
B
So
generally
it's
less
effort
for
the
community,
as
well
as
for
the
project
maintainers
to
do
it
out
of
three
and
kubern86
can
sponsor
such
a
project,
so
this
provides
community
infrastructure
access
as
well.
This
provides
full
ci
testing
in
brow,
image,
promotion
and
distribution
and
repository
access
management.
B
B
A
All
right,
thank
you,
sasha,
so
I'm
going
to
discuss
a
little
bit
about
how
the
security
profiles
operator
works
and
talk
about
the
current
features
that
we
support
in
it.
So
the
operator
is
driven
by
a
few
different
custom
resource
definitions
that
we
can
kind
of
break
into
three
general
categories.
The
first
is
the
profile
crds.
These
are
the
setcomp
profile
and
se
linux
policy
crds,
and
these
are
resources
that
define
the
actual
security
profile
that
will
get
installed
on
the
underlying
linux
host.
A
Then
we
have
what
I'm
calling
composition
crds.
These
are
the
profile
binding
and
profile
recording
crds
and
those
are
resources
that
will
help
application
developers
to
build
and
use
security
profiles,
and
then,
finally,
we
have
more
operational
crds.
These
are
resources
that
help
cluster
administrators
with
the
running
of
the
operator
itself.
A
So
going
into
a
little
more
detail
on
each
of
these,
we
have
first
the
security
profiles
themselves.
These
are
kind
of
the
cornerstone
of
the
operator
we
started
out
with
setcomp
and
setcomp
restricts
a
process
to
executing
only
a
finite
list
of
allowed
system
calls
defined
in
a
sepcom
profile
on
the
host,
and
so
the
setcom
profile
crd
provides
a
kubernetes
native
interface
to
create
and
validate
these
setcomp
profiles.
A
This
will
get
managed
on
the
backend
by
a
daemon
set
that
converts
the
setcomp
profile
resource
into
a
json
configuration
file
that
gets
picked
up
by
the
cubelet
and
used
to
launch
these
containers
and
then
more
recently,
we
added
support
for
se.
Linux
and
seolinux
defines
more
complex
access,
controls
for
processes
and
files
via
policy
rules
and
object
labels,
and
so
the
se
linux
policy
crd,
provides
again
a
kubernetes
native
interface
for
creating
and
managing
these
sc
linux
policies.
A
Instead,
there
will
be
a
web
hook
that
will
inject
a
reference
to
a
profile
into
a
pod
security
context
when
you
create
the
pod,
and
so
this
is
especially
useful
if
you're
running
some
kind
of
workload
that,
for
example,
if
you
installed
an
application
from
an
open
source,
helm
chart,
you
would
no
longer
need
to
fork
or
edit
the
helm
chart.
You
can
just
create
this
profile
binding
and
the
pod
and
the
profile
will
automatically
be
linked
and
then
another
exciting
feature
is
the
profile
recording
resource.
A
This
is
for
setcomp
and
it
generates
a
set
comp
profile
for
a
running
workload,
and
so
with
this,
there's
no
more
need
to
write
these
complex
profiles
out
by
hand,
no
more
guess
and
check
of
running
the
application
and
checking
the
audit
logs.
Instead,
you
just
create
this
profile
recording
resource
and
it
automatically
creates
a
set
comp
profile.
Kubernetes
resource
for
you
that
can
then
already
be
used
by
your
application.
A
And
then,
finally,
we
have
resources
that
help
support
cluster
administrators
running
the
operator.
The
security
profiles
operator
daemon
resource
is
kind
of
a
configuration
point
for
controllers
for
the
controller
that
runs
the
daemon
on
the
nodes.
So
it
lets
you
toggle
different
configurations
or
set
node
tolerations
for
the
daemon
set,
and
then
the
security
profile
node
status
resource
is
a
read-only
node
level
view
of
the
status
of
installed
poly
profiles.
A
So
since
profiles
are
cluster
level
resource
resources,
this
gives
insight
into
the
availability
of
a
particular
profile
on
any
given
node
in
your
cluster
and
then.
Finally,
it's
also
worth
mentioning
a
couple
other
features
in
the
operator.
We
have
this
login
richer
feature
which
supplements
the
audit
logs
with
annotations.
That
help
give
context
to
audit
events
and
lets
you
trace
events
back
to
the
kubernetes
workloads
that
generated
them.
So
that's
extremely
useful,
and
then
we
have
this
profile
stacking
feature
and
what
this
is
is
kind
of
an
inheritance
model
for
setcom
profiles.
A
A
Then
you
could
also
create
that
as
a
base
profile
and
then
create
a
slim
down
profile
with
just
a
short
list
of
system
calls
that
your
application
specifically
needs
that
wouldn't
be
necessarily
being
needed
by
other
containers
and
with
this
profile
stacking
feature.
These
can
be
composed
into
one
single
profile,
and
so
with
that,
I
can
break
into
a
demonstration
of
some
of
these
awesome
features.
A
The
operator
web
hook
depends
on
start
manager,
so
that
needs
to
be
installed
first
as
a
prerequisite,
and
then
it's
a
simple
matter
of
applying
the
operator
manifests
to
your
cluster
that
will
create
all
your
custom
resource
definitions,
set
up
your
rbac
and
run
the
main
deployment,
and
the
deployment
is
what
will
spawn
the
daemon
set.
That
does
the
actual
leg
work
of
managing
the
profiles
on
the
nodes
in
your
cluster.
A
If
we
go
and
create
that
pod,
the
pod
should
be
created
successfully,
but
if
the
pod
goes
and
tries
to
use
a
system,
call
that
wasn't
expected
and
wasn't
explicitly
permitted
by
the
setcomp
profile.
The
host
operating
system
will
forbid
it,
and
if
we
decide
that
this
is
an
expected
system,
call
that
our
application
should
be
allowed
to
make.
We
can
edit
the
profile.
A
A
While
it's
still
in
use,
it
will
mark
it
as
deleting
but
leave
it
existing,
and
it
won't
actually
delete
it
from
kubernetes
until
all
of
the
workloads
using
it
have
been
removed,
and
once
that
happens,
it
will
get
removed
from
kubernetes
and
it
will
also
get
cleaned
up
on
the
back
end,
because
the
kubernetes
controllers
give
us
the
tools
to
be
able
to
clean
up
on
the
back
end
when
something
is
deleted.
When
a
resource
is
deleted
on
the
in
the
kubernetes
api.
A
And
then,
if
we
create
a
pod
that
references
just
that
child
or
create
both
profiles,
the
base
profile
and
the
child
profile,
we
can
see
that
when
it
gets
rendered,
the
composite
profile
contains
all
the
system
calls
from
both
sets
of
profiles.
The
base
profile
and
the
child
profile,
including
this
application
specific
system
call.
A
So
if
we
go
and
recreate
the
original
set
comp
profile
and
then
create
that
binding
resource
and
go
and
create
the
pod,
then
if
we
go
and
examine
the
pod,
we
can
see
that
the
statcom
profile
has
been
injected
into
this
into
this
pod
once
it
was
created,
and
so
this
is
really
useful
for
running,
like
external
workloads,
for
example,
on
an
open
source
helm
chart
where
you
don't
want
to
modify
the
helm
chart.
You
just
want
to
use
your
custom
setcom
profile.
B
In
this
statement,
I
would
like
to
show
you
how
we
can
record
that
compromise
with
the
app
with
the
security
profiles
operator,
so
to
be
able
to
run
this
demo,
we
would
require
cryo
121,
which
may
not
be
released
yet,
but
the
latest
cryomaster
should
be
shifted
sufficient
at
all.
If
we
look
at
the
output
of
pseudocrystal
version
on
my
local
machine,
then
we
can
see
that
we
run
cryo
in
the
latest
121
development
version.
B
It
is
also
necessary
that
we
set
up
the
oci
second
bpf
project
on
the
local
machine,
and
this
is
an
oci
pre-stored
hook,
which
locally
compiles
the
ppf
module
attaches
it
to
the
workload
and
then
traces
its
calls.
If
a
word
load
gets
deleted,
then
the
syscalls
will
be
put
into
a
file
which
can
be
picked
up
by
the
operator.
We
have
to
configure
cryo
that
it
points
to
the
actual
hook,
and
for
that
we
can
look
at
the
hooksteer
configuration
option
which
points
to
the
oci
second
ppf
hook
in
my
local
machine.
B
So
everything
should
be
set
up
what's
next
now
we
have
to
create
a
profile
recording,
which
is
the
crd
and
a
simple
profile.
Recording
may
look
like
this,
so
we
create
a
profile
recording
with
the
name
demo
right
now.
We
can
only
record
second
profiles
and
we
choose
a
pod
selector
which
matches
our
labels
app
equals
demo
and
all
those
workloads
which
match
those
put
selectors
should
be
recorded.
B
B
So
for
that
we
just
run
a
simple
part
which
gets
immediately
removed
after
it
has
been
run
and
we
rename
it
mypot
and
we
add
our
labels
app
equals
demo,
and
then
we
create
a
directory
test
and
let's
see
what
happens
now,
the
pod
gets
deleted,
which
is
fine
and
now
we
should
have
a
second
profile
available
locally
in
disk.
So,
let's
look
at
our
second
profiles
in
our
clusters.
B
If
we
now
look
at
the
second
profile
in
more
detail,
then
we
can
also
find
our
mkdir
syscall
in
it
beside
other
scores,
which
are
necessary
to
actually
run
any
workload
in
our
cluster.
Now
this
is
the
least
amount
of
this
course
necessary
to
run
a
single
workload
in
a
kubernetes
cluster.
On
my
local
configuration.
B
B
So
this
should
work
at
all
and
if
we
create
the
pot
and
then
we
wait
for
it
to
be
ready,
then
we
can
look
that
the
recording
is
now
in
progress.
So
we
should
now
test
our
application,
so
we
can,
for
example,
load
balance,
the
nginx
or
the
lattice
container,
and
then
we
can
actually
see
that
all
ciscos
or
all
code
bar
paths
of
that
container
application
gets
triggered
now
for
test
purposes.
Let's
delete
the
pod
again
now
we
finally
got
two
additional
profiles
instead
installed
instead
of
just
one.
B
B
Now,
if
we
remove
the
deployment
from
our
cluster
again,
then
we
can
look
at
four
profiles
indeed,
so
we
got
a
profile
for
each
replica,
so
they
may
differ
because
different
load
balancers
may
reach
different
replicas
of
the
deployment,
but
we
are
now
able
to
actually
assemble
our
second
profiles
by
just
stuffing
them
and
looking
at
our
workloads.
So
this
is
our
main
strategy:
how
to
create
second
profiles
for
actual
real-life
workloads-
and
this
was
my
demo
for
recording
sitcom
profiles
with
the
help
of
the
security
profiles
operator.
B
What
do
we
plan
for
the
future
of
the
project?
Well,
there
are
many
things
planned,
but
a
few
of
them
are
just
here.
So
the
first
thing
we
would
like
to
do
is
we
would
like
to
introduce
a
note
status
for
profile,
reconciliation
to
avoid
data
races,
so
we
are
working
on
a
fully
transferring
node
status
that
determine
if
a
profile
has
been
reconciled
to
this
gonad.
So
this
helps
us
to
avoid
data
races
and
make
the
mobile
or
implementation
more
robust,
especially
for
large
scale
deployments
further.
B
We
would
like
to
simplify
the
deployment
in
favor
of
automatism,
so
the
webhook
deployment
should
be
part
of
a
single
all-in-one
deployment
file.
We
would
like
to
add
custom
deployment
logic
to
keep
the
rollout
of
the
operator
in
sync.
We
are
also
considering
to
remove
the
assortment
manager
dependency
completely.
B
Our
plan
is
to
provide
a
matrix
endpoint
for
the
operator
to
export
security
related
information
to
prometheus.
This
gives
cluster
operators
more
details
about
the
actual
security
policies
and
what
is
going
on
in
that
cluster.
So
we
would
like
to
love
to
see
your
contribution
if
you're
interested
and
if
you
want
to
get
started
working
with
any
of
those
topics,
and
with
that
I
would
like
to
thank
you
all
for
listening
this
talk,
and
now
we
are
happy
to
answer
any
questions
see
ya.