appamor

Author: githubfoam

.github/workflows/apparmor-wf.yml

@@ -0,0 +1,40 @@
+name: "apparmor kind Ubuntu CI workflow"
+
+
+on:
+  push:
+    branches: [ test ]
+  # schedule:
+      # https://crontab.guru/
+      # https://docs.github.com/en/actions/reference/events-that-trigger-workflows
+      # - cron:  '0 0 * * FRI' ##execution of a task in the first minute of the month  
+
+
+jobs:
+
+# https://kubernetes.io/docs/tutorials/security/apparmor/
+  seccomp-kind-ubuntu-latest-job:
+    name: "Restrict a Container's Access to Resources with AppArmor job"
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - name: "os fingerprinti  ng"
+      run: hostnamectl status
+      # https://kind.sigs.k8s.io/docs/user/quick-start/
+    - name: "Restrict a Container's Access to Resources with AppArmor" 
+      run: |
+        curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.11.1/kind-linux-amd64
+        chmod +x ./kind 
+        mv ./kind /usr/local/bin/kind    
+        # Default cluster context name is `kind`.
+        kind create cluster 
+        kind get clusters       
+        kubectl config get-contexts 
+        kubectl cluster-info --context kind-kind
+        docker ps
+        # Kubernetes version is at least v1.4 -- Kubernetes support for AppArmor was added in v1.4.
+        # verify the Kubelet version of nodes
+        kubectl get nodes -o=jsonpath=$'{range .items[*]}{@.metadata.name}: {@.status.nodeInfo.kubeletVersion}\n{end}'
+        # check whether the module is enabled
+        cat /sys/module/apparmor/parameters/enabled
+  

.github/workflows/psa-wf.yml renamed to .github/workflows/psa-cluster-wf.yml

@@ -1,4 +1,4 @@
-name: "Pod Security Standards kind Ubuntu CI workflow"
+name: "Pod Security Standards Cluster Level workflow"
 
 
 on:
@@ -13,8 +13,8 @@ on:
 jobs:
 
 # https://kubernetes.io/docs/tutorials/security/cluster-level-pss/
-  psa-kind-ubuntu-latest-job:
-    name: "Restrict a Container's Syscalls with seccomp job"
+  psa-cluster-kind-ubuntu-latest-job:
+    name: "Apply Pod Security Standards at the Cluster Level"
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v2
@@ -35,5 +35,5 @@ jobs:
         kind create cluster --name psa-wo-cluster-pss --image kindest/node:v1.23.0
         kind get clusters       
         kubectl config get-contexts 
-        # kubectl cluster-info --context kind-kind
+        kubectl cluster-info --context kind-psa-wo-cluster-pss 
   

.github/workflows/psa-namespace-wf.yml

@@ -0,0 +1,41 @@
+name: "Pod Security Standards Namespace  Level workflow"
+
+
+on:
+  push:
+    branches: [ test ]
+  # schedule:
+      # https://crontab.guru/
+      # https://docs.github.com/en/actions/reference/events-that-trigger-workflows
+      # - cron:  '0 0 * * FRI' ##execution of a task in the first minute of the month  
+
+
+jobs:
+
+# https://kubernetes.io/docs/tutorials/security/ns-level-pss/
+  psa-namespace-kind-ubuntu-latest-job:
+    name: "Apply Pod Security Standards at the Namespace Level"
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - name: "os fingerprinti  ng"
+      run: hostnamectl status
+      # https://kind.sigs.k8s.io/docs/user/quick-start/
+    - name: "Apply Pod Security Standards at the Cluster Level" 
+      run: |
+        curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.11.1/kind-linux-amd64
+        chmod +x ./kind 
+        mv ./kind /usr/local/bin/kind    
+        # Default cluster context name is `kind`.
+        # kind create cluster 
+        # kind get clusters       
+        # kubectl config get-contexts 
+        # kubectl cluster-info --context kind-kind
+        # Create a cluster with no Pod Security Standards applied:
+        kind create cluster --name psa-ns-level --image kindest/node:v1.23.0
+        kind get clusters       
+        kubectl config get-contexts 
+        kubectl cluster-info --context kind-psa-ns-level
+        # kubectl cluster-info --context kind-kind
+        kubectl create ns example
+