Kubernetes v1.25: Pod Security Becomes the New Norm
The release of Kubernetes v1.25 marks a significant milestone for pod security controls: the Pod …
28.08.2022
ayedo Redaktion
•
•
2 Minuten Lesezeit
Rethinking Security: The Latest Features of Security Profiles Operator v0.4.0
Discover the new features of Security Profiles Operator v0.4.0 and how they enhance security in Kubernetes.
kubernetes
kubernetes-news
security
The Security Profiles Operator (SPO) is a pivotal extension for Kubernetes, significantly simplifying the management of seccomp, SELinux, and AppArmor profiles. We are excited to announce the release of v0.4.0, which brings numerous new features, improvements, and bug fixes.
What’s New?
It’s been a while since the last release v0.3.0. Over the past six months, we’ve made over 290 commits to add new features, optimize existing ones, and overhaul our documentation.
A highlight is the ability to record seccomp and SELinux profiles using the log enricher. This reduces the dependencies required for profile recording to the presence of auditd or syslog (as a fallback) on the nodes. All profile recordings in the operator function uniformly via the ProfileRecording CRD and the corresponding label selector. The log enricher can also be used to gain valuable insights into seccomp and SELinux messages from a node. For more information, see the official documentation.
Improvements Related to seccomp
In addition to recording via the log enricher, we now offer an alternative for recording seccomp profiles using ebpf. This optional feature can be enabled by setting enableBpfRecorder to true. This results in a dedicated container being launched, providing a custom bpf module on each node to collect syscalls for containers. This even supports older kernel versions that do not provide the BPF Type Format (BTF) by default, as well as the amd64 and arm64 architectures. Check out our documentation to see this in action. Incidentally, we now add the architecture of the seccomp profile host to the recorded profile.
Additionally, we have upgraded the seccomp profile API from v1alpha1 to v1beta1. This aligns with our overarching goal to stabilize the CRD APIs over time. The only change is that the Architectures type of the seccomp profile now refers to []Arch instead of []*Arch.
With these improvements and new features, managing security profiles in Kubernetes becomes more efficient and user-friendly. ayedo is proud to be at the forefront of these developments as a Kubernetes partner, helping companies optimize their security strategies.
Source: Kubernetes Blog
Ähnliche Artikel
PodSecurityPolicy: From Inception to Deprecation – A Retrospective
The PodSecurityPolicy (PSP) was removed with Kubernetes v1.25. This decision was previously …
19.08.2022
Keeping an Eye on Secure Containers: Detecting Container Drift with Admission Controllers
At Box, we use Kubernetes (K8s) to manage hundreds of microservices that enable us to stream data …
24.12.2021