Bumping k8s dependencies to 1.13
This commit is contained in:
Cheng Xing
76
vendor/k8s.io/kubernetes/test/images/apparmor-loader/example-configmap.yaml
generated
vendored
Normal file
76
vendor/k8s.io/kubernetes/test/images/apparmor-loader/example-configmap.yaml
generated
vendored
Normal file
@@ -0,0 +1,76 @@
|
||||
# An example ConfigMap demonstrating how profiles can be stored as Kubernetes objects, and loaded by
|
||||
# the apparmor-loader DaemonSet.
|
||||
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: apparmor-profiles
|
||||
namespace: apparmor
|
||||
data:
|
||||
# Filename k8s-nginx maps to the definition of the nginx profile.
|
||||
k8s-nginx: |-
|
||||
#include <tunables/global>
|
||||
|
||||
# From https://github.com/jfrazelle/bane/blob/master/docker-nginx-sample
|
||||
profile k8s-nginx flags=(attach_disconnected,mediate_deleted) {
|
||||
#include <abstractions/base>
|
||||
|
||||
network inet tcp,
|
||||
network inet udp,
|
||||
network inet icmp,
|
||||
|
||||
deny network raw,
|
||||
|
||||
deny network packet,
|
||||
|
||||
file,
|
||||
umount,
|
||||
|
||||
deny /bin/** wl,
|
||||
deny /boot/** wl,
|
||||
deny /dev/** wl,
|
||||
deny /etc/** wl,
|
||||
deny /home/** wl,
|
||||
deny /lib/** wl,
|
||||
deny /lib64/** wl,
|
||||
deny /media/** wl,
|
||||
deny /mnt/** wl,
|
||||
deny /opt/** wl,
|
||||
deny /proc/** wl,
|
||||
deny /root/** wl,
|
||||
deny /sbin/** wl,
|
||||
deny /srv/** wl,
|
||||
deny /tmp/** wl,
|
||||
deny /sys/** wl,
|
||||
deny /usr/** wl,
|
||||
|
||||
audit /** w,
|
||||
|
||||
/var/run/nginx.pid w,
|
||||
|
||||
/usr/sbin/nginx ix,
|
||||
|
||||
deny /bin/dash mrwklx,
|
||||
deny /bin/sh mrwklx,
|
||||
deny /usr/bin/top mrwklx,
|
||||
|
||||
capability chown,
|
||||
capability dac_override,
|
||||
capability setuid,
|
||||
capability setgid,
|
||||
capability net_bind_service,
|
||||
|
||||
deny @{PROC}/{*,**^[0-9*],sys/kernel/shm*} wkx,
|
||||
deny @{PROC}/sysrq-trigger rwklx,
|
||||
deny @{PROC}/mem rwklx,
|
||||
deny @{PROC}/kmem rwklx,
|
||||
deny @{PROC}/kcore rwklx,
|
||||
deny mount,
|
||||
deny /sys/[^f]*/** wklx,
|
||||
deny /sys/f[^s]*/** wklx,
|
||||
deny /sys/fs/[^c]*/** wklx,
|
||||
deny /sys/fs/c[^g]*/** wklx,
|
||||
deny /sys/fs/cg[^r]*/** wklx,
|
||||
deny /sys/firmware/efi/efivars/** rwklx,
|
||||
deny /sys/kernel/security/** rwklx,
|
||||
}
|
||||
Reference in New Issue
Block a user