wip: introduce RuntimeSecurityPolicy #2523
Draft
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
RuntimeSecurityPolicy are meant to be accessible and user-friendly policies to configure Tetragon. Those policies are then translated to lower level TracingPolicy. This is the cluster-wide resource, a namespaced one will follow. Signed-off-by: Mahe Tardy <[email protected]>
Generate the k8s files for the newly added RuntimeSecurityPolicy CRD. Signed-off-by: Mahe Tardy <[email protected]>
This adds the Runtime Security Policy to the CRD list (to be used by the operator) as well as the RuntimeSecurity and RuntimeSecurityPolicyList to the known types. Signed-off-by: Mahe Tardy <[email protected]>
Allow API access to RuntimeSecurityPolicy, both for the agent and the operator. Signed-off-by: Mahe Tardy <[email protected]>
This flag allows to disable the RuntimeSecurityPolicyCRD (since it's enabled by default) to make it possible to run Tetragon in k8s context without the CRD. Note: now that we have multiple CRDs like that, we may want to group all of that behind the same "EnableCRDs" flags. Signed-off-by: Mahe Tardy <[email protected]>
Add the RuntimeSecurityPolicy CRD to the list that the agent waits to find when it starts. Signed-off-by: Mahe Tardy <[email protected]>
Signed-off-by: Mahe Tardy <[email protected]>
Signed-off-by: Mahe Tardy <[email protected]>
Also add common helpers like FromYAML(). Signed-off-by: Mahe Tardy <[email protected]>
Signed-off-by: Mahe Tardy <[email protected]>
This validators is used after the CRD validation step is already done for more in-depth validation. Signed-off-by: Mahe Tardy <[email protected]>
Signed-off-by: Mahe Tardy <[email protected]>
Run `make codegen` to generate code with for the new API. Signed-off-by: Mahe Tardy <[email protected]>
Signed-off-by: Mahe Tardy <[email protected]>
TODO, finish this commit, need to write update part. Signed-off-by: Mahe Tardy <[email protected]>
Signed-off-by: Mahe Tardy <[email protected]>
Optional fields should use omitempty as a JSON tag so that when we generated a policy, it's not required to put the zero value. Signed-off-by: Mahe Tardy <[email protected]>
Also add common helpers like FromFile(). Signed-off-by: Mahe Tardy <[email protected]>
✅ Deploy Preview for tetragon ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
First step of #2185
This is still a work in progress.