Awesome

selinux-k8s

This is a small script that wraps up udica and allows you to scan containers from a Kubernetes deployment's CRI, and generate SELinux policies from them. The script will create a ConfigMap in the namespace where the pod is running.

Normally one would deploy this as a pod (either directly or from an operator).

An example of how to deploy this pod is provided in the repo. This example contains all the relevant bind-mounts to make udica and the SELinux utilities work from the pod, as well as the bind-mount to be able to call the CRI.

TODO

• Handle duplicated ConfigMaps: What happens when the ConfigMap that this tool is trying to create already exists? Should it overwrite, ignore or fail?

• Get capabilities for pods

• Read extra capabilities needed for a specific pod (user provided)