The Security Profiles Operator (SPO) is an out-of-tree Kubernetes enhancement which aims to make it easier to create and use SELinux, seccomp and AppArmor security profiles in Kubernetes clusters.
This is the parity of features across various security profiles supported by the SPO:
| Seccomp | SELinux | AppArmor | |
|---|---|---|---|
| Profile CRD | Yes | Yes | Yes |
| Install profiles in cluster | Yes | Yes | Yes |
| Remove unused profiles from cluster | Yes | Yes | Yes |
| Profile Recording (audit logs) | Yes | Yes | No |
| Profile Recording (eBPF) | Yes | No | Yes |
| Profile Binding to container images | Yes | No | No |
| Audit log enrichment | Yes | Yes | Yes |
For information about the security model and what permissions each feature requires, refer to SPO's security model.
The motivation behind the project can be found in the corresponding RFC.
Related Kubernetes Enhancement Proposals (KEPs) which have direct influence on this project:
- Promote seccomp to GA
- Add ConfigMap support for seccomp custom profiles
- Add KEP to create seccomp built-in profiles and add complain mode
Next to those KEPs, here are existing approaches for security profiles in the Kubernetes world:
- AppArmor Loader
- OpenShift's Machine config operator, in charge of file management and security profiles on hosts
- seccomp-config
If you're interested in contributing to SPO, please see the developer focused document.
We schedule a monthly meeting every last Thursday of a month.
Learn how to engage with the Kubernetes community on the community page.
You can reach the maintainers of this project at:
Participation in the Kubernetes community is governed by the Kubernetes Code of Conduct.