logo
allArticlesConferencesPresentations

Enhancing Kubernetes with the Security Profiles Operator

Conference:  KubeCon + CloudNativeCon Europe 2021

Authors:   Colleen Murphy

Summary

The Security Profiles Operator enhances Kubernetes workload security by providing cloud-native APIs to manage Linux security features like seccomp, Apparmor, and SELinux.
  • Kubernetes does not provide strong security defaults out of the box
  • The Security Profiles Operator provides native fields to make security features easier to use
  • The operator can record security profiles for single pods or multiple containers within a single pod
  • The operator can also record security profiles for whole deployments
  • Future plans for the project include introducing a node status for profile reconciliation, simplifying deployment, and adding full features for SELinux and Apparmor support
The Security Profiles Operator makes it easier for users to apply security profiles to their workloads by providing native fields instead of the previous annotation-based syntax. This makes it easier to read and less error-prone. The operator can also record security profiles for single pods or multiple containers within a single pod, as well as for whole deployments. This allows for more comprehensive security management within Kubernetes.

Abstract

Kubernetes provides ways for container workloads to leverage Linux security features like seccomp, Apparmor, and SELinux, technologies that allow applications to be bound by security profiles that prevent unexpected and malicious behavior. But crafting and deploying these profiles is a manual process that requires administrators to operate directly on the underlying host and end-users to have knowledge of the security configurations of the hosts.The Security Profiles Operator is an out-of-tree Kubernetes enhancement that provides cloud-native APIs to manage these profiles.In this session, Colleen and Sascha will discuss how the Security Profiles Operator has evolved. They demonstrate how the project empowers workload security by making seccomp profiles easier to use inside of Kubernetes. Besides that, they will speak about the future of the project, how it may integrate into Kubernetes and what it means to combine profile-based security features managed from one source of truth.
Materials:
Slides
Tags:

Post a comment

Related work

Containers Security Layers and How Not to Break them

Conference:  ContainerCon 2022
Authors: Aviv Sasson
2022-06-22

Using the EBPF Superpowers To Generate Kubernetes Security Policies

Conference:  KubeCon + CloudNativeCon North America 2022
Authors: Alban Crequy, Mauricio Vásquez Bernal
2022-10-26

Finally, a Smack Reference Policy

Conference:  Linux Security Summit Europe 2022
Authors: Casey Schaufler
2022-09-16

Panel Discussion: Say Hi to the New Couple in the Town – DockerSlim and Kyverno – Making Your Kubernetes Workloads More Secure!

Conference:  Cloud Native SecurityCon North America 2022
Authors: Mritunjay Sharma, Shuting Zhao, Ruhika Bulani
2022-10-25

Trace Me if You Can: Bypassing Linux Syscall Tracing

Conference:  Black Hat USA 2022
Authors:
2022-08-10

GitOpsify Everything: When Crossplane Meets Argo CD

Conference:  KubeCon + CloudNativeCon Europe 2022
Authors: Ying Mo, Ken Murray
2022-05-20