Skip to content

kubernetes-sigs/security-profiles-operator

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Kubernetes Security Profiles Operator

build test coverage CII Best Practices OCI security profiles

The Security Profiles Operator (SPO) is an out-of-tree Kubernetes enhancement which aims to make it easier to create and use SELinux, seccomp and AppArmor security profiles in Kubernetes clusters.

Features

This is the parity of features across various security profiles supported by the SPO:

Seccomp SELinux AppArmor
Profile CRD Yes Yes Yes
Install profiles in cluster Yes Yes Yes
Remove unused profiles from cluster Yes Yes Yes
Profile Recording (audit logs) Yes Yes No
Profile Recording (eBPF) Yes No Yes
Profile Binding to container images Yes No No
Audit log enrichment Yes Yes Yes

For information about the security model and what permissions each feature requires, refer to SPO's security model.

Resources

The motivation behind the project can be found in the corresponding RFC.

Related Kubernetes Enhancement Proposals (KEPs) which have direct influence on this project:

Next to those KEPs, here are existing approaches for security profiles in the Kubernetes world:

Community, discussions, contributions, and support

If you're interested in contributing to SPO, please see the developer focused document.

We schedule a monthly meeting every last Thursday of a month.

Learn how to engage with the Kubernetes community on the community page.

You can reach the maintainers of this project at:

Code of conduct

Participation in the Kubernetes community is governed by the Kubernetes Code of Conduct.