Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support Podman for unorchestrated environments #1814

Open
4 tasks
rootxrishabh opened this issue Jul 23, 2024 · 6 comments · May be fixed by #1874
Open
4 tasks

Support Podman for unorchestrated environments #1814

rootxrishabh opened this issue Jul 23, 2024 · 6 comments · May be fixed by #1874
Labels
enhancement New feature or request mentorship

Comments

@rootxrishabh
Copy link
Member

rootxrishabh commented Jul 23, 2024

Kubearmor connects to the container-runtime to get the mount-namespace and other details (for eg, container image details etc).
These details are used subsequently in the telemetry/log enrichment. For e.g -

  • Check if the process event is in the context of the container/namespace.
  • To check what is the container image ID for the event that is generated

The aim is to create Podman support for kubearmor for unorchestrated environments as podman does not implement the CRI.

Initial Scope:

  • Design points
  • Leverage OCI hooks for container information
  • Validate policy enforcement with Podman
  • Validate alerts/telemetry with Podman

Future Items:

Support for podman with socket mode as well

References:

@rootxrishabh rootxrishabh added enhancement New feature or request mentorship labels Jul 23, 2024
@vinayakjaas
Copy link

Hey @rootxrishabh , I am interested in the issue of creating Podman support for KubeArmor in unorchestrated environments. I plan to review the reading materials you provided and other resources available online related to Podman. I will come up with a proper plan and design for this project.

@VeerChaurasia
Copy link

Hey @rootxrishabh,Exicted to work on this issue of creating Podman support for KubeArmor for unorchestrated environments.Currently going through the references you have shared.

@kairveeehh
Copy link

hii @rootxrishabh I would like to work for this project as it aligns with my skills and interests under the LFX mentorship programme

@abhashsolanki18
Copy link

@rootxrishabh this would be an exciting project for me as i've worked closely with podman during my global certification training with RedHat for RHCSA and RHCE, i'll go through the resources and prepare a plan for the project.

@bdharsan04
Copy link

hey @rootxrishabh are there any prerequisites for working on this particular project?

@daemon1024
Copy link
Member

Hey Folks, Thanks for the interest in the mentorship. We have certain prerequisites which we expect to be included in your application. Please include details or reference to a document for the said prerequisite in your Cover Letter / Mail to the mentors / DM Mentors in CNCF Slack by 20 August 11:59PM IST

Following are the details.

Support Podman and OCI Hooks support for unorchestrated environments - https://mentorship.lfx.linuxfoundation.org/project/c693a6b1-d034-4140-8aba-dfe02fbef48a

Prerequisite:

Share an OCI Hook to add AppArmor Profile to container created by user.
Generally AppArmorProfile can set for a container using

sudo podman run --name=test --security-opt=apparmor=test-profile -it busybox

Where test-profile is an already loaded apparmor profile.

Imagine you start a container using

sudo podman run --name=test-non-apparmor -it busybox

Due to the presence of your OCI Hook, the said podman container should be loaded with a AppArmor Profile

References to understand containers and apparmor profile

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request mentorship
Projects
None yet
Development

Successfully merging a pull request may close this issue.

7 participants