-
Notifications
You must be signed in to change notification settings - Fork 0
/
kubernetes.te
84 lines (62 loc) · 2.03 KB
/
kubernetes.te
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
policy_module(kubernetes, 1.0.0)
########################################
#
# Declarations
#
attribute kubernetes_domain;
kubernetes_domain_template(kube_apiserver)
kubernetes_domain_template(kube_controller_manager)
kubernetes_domain_template(kube_proxy)
kubernetes_domain_template(kube_scheduler)
kubernetes_domain_template(kubelet)
permissive kube_apiserver_t;
permissive kube_controller_manager_t;
permissive kube_proxy_t;
permissive kubelet_t;
type kube_unit_file_t;
systemd_unit_file(kube_unit_file_t)
type kubelet_unit_file_t;
systemd_unit_file(kubelet_unit_file_t)
type kubelet_var_lib_t;
files_type(kubelet_var_lib_t)
########################################
#
# kubernetes domain local policy
#
# this is kernel bug which is going to be fixed
# needs to be removed then
dontaudit kubernetes_domain self:capability2 block_suspend;
allow kubernetes_domain self:tcp_socket create_stream_socket_perms;
kernel_read_unix_sysctls(kubernetes_domain)
kernel_read_net_sysctls(kubernetes_domain)
#auth_read_passwd(kubernetes_domain)
corenet_tcp_bind_generic_node(kubernetes_domain)
corenet_tcp_bind_kubernetes_port(kubernetes_domain)
corenet_tcp_connect_http_cache_port(kubernetes_domain)
corenet_tcp_connect_kubernetes_port(kubernetes_domain)
########################################
#
# kube_apiserver local policy
#
sysnet_dns_name_resolve(kube_apiserver_t)
dev_read_urand(kube_apiserver_t)
########################################
#
# kube_controller local policy
#
########################################
#
# kubelet local policy
#
allow kubelet_t self:capability net_admin;
manage_dirs_pattern(kubelet_t, kubelet_var_lib_t, kubelet_var_lib_t)
manage_files_pattern(kubelet_t, kubelet_var_lib_t, kubelet_var_lib_t)
manage_lnk_files_pattern(kubelet_t, kubelet_var_lib_t, kubelet_var_lib_t)
files_var_lib_filetrans(kubelet_t, kubelet_var_lib_t, dir)
docker_stream_connect(kubelet_t)
########################################
#
# kube_proxy local policy
#
allow kube_proxy_t self:capability net_admin;
allow kube_scheduler_t self:capability net_admin;