Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Snitch should not mount entire host rootfs #1705

Open
DelusionalOptimist opened this issue Mar 26, 2024 · 2 comments
Open

Snitch should not mount entire host rootfs #1705

DelusionalOptimist opened this issue Mar 26, 2024 · 2 comments
Labels
enhancement New feature or request

Comments

@DelusionalOptimist
Copy link
Member

Feature Request

Short Description
KubeArmor snitch currently mounts the entire rootfs of the host - ref

Describe the solution you'd like

We should specify the host path volume mounts at a more granular level. For example:

  • For detecting container runtimes /var/run should be enough
  • For apparmor profiles /etc/apparmor.d should be enough

and so on...

We may use older KubeArmor daemonset for reference on the same.
@DelusionalOptimist DelusionalOptimist added the enhancement New feature or request label Mar 26, 2024
@rksharma95
Copy link
Collaborator

rksharma95 commented Mar 28, 2024
edited

/var/run, /run to detect container runtime
/sys/kernel/ for btf, securityfs
/sys/module/apparmor/parameters/enabled ref: https://kubernetes.io/docs/tutorials/security/apparmor/#before-you-begin
/var/lib/kubelet/seccomp for seccomp

@Utkar5hM
Copy link
Contributor

Utkar5hM commented Apr 4, 2024

I would like to work on this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
v1.4.0 Release
Status: Triage
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Utkar5hM @DelusionalOptimist @rksharma95