Apply suggested fixes from PR
This commit is contained in:
Jeroen Rijken
Alex
parent
5af6cda328
commit
78cfb23bff
3 changed files with 59 additions and 61 deletions
|
|
@ -24,13 +24,13 @@ profile k3s @{exec_path} flags=(complain) {
|
|||
ptrace peer=@{profile_name},
|
||||
ptrace (read) peer=unconfined,
|
||||
|
||||
network inet dgram,
|
||||
network inet6 dgram,
|
||||
network inet stream,
|
||||
network inet6 stream,
|
||||
network inet dgram,
|
||||
network inet6 dgram,
|
||||
network inet stream,
|
||||
network inet6 stream,
|
||||
network netlink raw,
|
||||
|
||||
mount /var/lib/kubelet/pods/@{uuid}/volumes/kubernetes.io~*/{,**/},
|
||||
mount /var/lib/kubelet/pods/@{uuid}/volumes/kubernetes.io~*/{,**/},
|
||||
umount /var/lib/kubelet/pods/@{uuid}/volumes/kubernetes.io~*/{,**/},
|
||||
|
||||
signal (send, receive) set=term,
|
||||
|
|
@ -56,20 +56,20 @@ profile k3s @{exec_path} flags=(complain) {
|
|||
/{usr/,}{s,}bin/iptables-legacy-restore rPx -> xtables-nft-multi,
|
||||
/{usr/,}{s,}bin/xtables-nft-multi rPx,
|
||||
|
||||
/usr/libexec/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds/uds rix,
|
||||
@{libexec}/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds/uds rix,
|
||||
/var/lib/rancher/k3s/data/[0-9a-f]*/bin/* rix,
|
||||
|
||||
/usr/libexec/kubernetes/kubelet-plugins/volume/exec/{,**} r,
|
||||
@{libexec}/kubernetes/kubelet-plugins/volume/exec/{,**} r,
|
||||
/usr/share/mime/globs2 r,
|
||||
|
||||
/etc/machine-id r,
|
||||
/etc/rancher/k3s/{,**} r,
|
||||
/etc/rancher/k3s/k3s.yaml rw,
|
||||
/etc/machine-id r,
|
||||
/etc/rancher/k3s/{,**} r,
|
||||
/etc/rancher/k3s/k3s.yaml rw,
|
||||
/etc/rancher/node/password r,
|
||||
|
||||
/var/lib/rancher/k3s/{,**} r,
|
||||
/var/lib/rancher/k3s/agent/** rw,
|
||||
/var/lib/rancher/k3s/server/** rw,
|
||||
/var/lib/rancher/k3s/{,**} r,
|
||||
/var/lib/rancher/k3s/agent/** rw,
|
||||
/var/lib/rancher/k3s/server/** rw,
|
||||
/var/lib/rancher/k3s/server/db/** rwk,
|
||||
|
||||
# k3s want's to basically manage all directories and create some specific files.
|
||||
|
|
@ -85,19 +85,19 @@ profile k3s @{exec_path} flags=(complain) {
|
|||
/var/lib/kubelet/pods/@{uuid}/**/namespace rw,
|
||||
/var/lib/kubelet/pods/@{uuid}/**/token rw,
|
||||
|
||||
/var/log/containers/ r,
|
||||
/var/log/containers/** rw,
|
||||
/var/log/rancher/{,**} r,
|
||||
/var/log/kubelet/{,**} r,
|
||||
/var/log/kubernetes/{,**} r,
|
||||
/var/log/containers/ r,
|
||||
/var/log/containers/** rw,
|
||||
/var/log/rancher/{,**} r,
|
||||
/var/log/kubelet/{,**} r,
|
||||
/var/log/kubernetes/{,**} r,
|
||||
/var/log/kubernetes/audit/** rw,
|
||||
/var/log/pods/{,**} r,
|
||||
/var/log/pods/{,**/} rw,
|
||||
/var/log/pods/**/[0-9]*.log rw,
|
||||
/var/log/pods/{,**} r,
|
||||
/var/log/pods/{,**/} rw,
|
||||
/var/log/pods/**/[0-9]*.log rw,
|
||||
|
||||
@{HOME}/.kube/cache/discovery/{,**} rw,
|
||||
@{HOME}/.kube/cache/http/[0-9a-z]* rw,
|
||||
@{HOME}/.kube/cache/http/.diskv-temp/[0-9]* rw,
|
||||
owner @{HOME}/.kube/cache/discovery/{,**} rw,
|
||||
owner @{HOME}/.kube/cache/http/[0-9a-z]* rw,
|
||||
owner @{HOME}/.kube/cache/http/.diskv-temp/[0-9]* rw,
|
||||
|
||||
@{run}/containerd/containerd.sock rw,
|
||||
@{run}/systemd/notify w,
|
||||
|
|
@ -106,36 +106,36 @@ profile k3s @{exec_path} flags=(complain) {
|
|||
@{run}/nodeagent/ rw,
|
||||
@{run}/xtables.lock rwk,
|
||||
|
||||
/var/tmp/etilqs_* rw,
|
||||
owner /var/tmp/etilqs_[0-9a-f]* rw,
|
||||
|
||||
owner @{PROC}/@{pids}/cgroup r,
|
||||
owner @{PROC}/@{pids}/cpuset r,
|
||||
owner @{PROC}/@{pids}/mounts r,
|
||||
owner @{PROC}/@{pids}/mountinfo r,
|
||||
@{PROC}/@{pids}/net/dev r,
|
||||
owner @{PROC}/@{pids}/cgroup r,
|
||||
owner @{PROC}/@{pids}/cpuset r,
|
||||
owner @{PROC}/@{pids}/mounts r,
|
||||
owner @{PROC}/@{pids}/mountinfo r,
|
||||
@{PROC}/@{pids}/net/dev r,
|
||||
@{PROC}/@{pids}/net/ip_tables_names r,
|
||||
owner @{PROC}/@{pids}/net/ipv6_route r,
|
||||
owner @{PROC}/@{pids}/net/route r,
|
||||
owner @{PROC}/@{pids}/oom_score_adj rw,
|
||||
owner @{PROC}/@{pids}/stat r,
|
||||
owner @{PROC}/@{pids}/uid_map r,
|
||||
owner @{PROC}/@{pids}/net/ipv6_route r,
|
||||
owner @{PROC}/@{pids}/net/route r,
|
||||
owner @{PROC}/@{pids}/oom_score_adj rw,
|
||||
owner @{PROC}/@{pids}/stat r,
|
||||
owner @{PROC}/@{pids}/uid_map r,
|
||||
|
||||
@{PROC}/diskstats r,
|
||||
@{PROC}/modules r,
|
||||
@{PROC}/sys/fs/pipe-max-size r,
|
||||
@{PROC}/sys/net/core/somaxconn r,
|
||||
@{PROC}/sys/net/ipv4/conf/all/* rw,
|
||||
@{PROC}/diskstats r,
|
||||
@{PROC}/modules r,
|
||||
@{PROC}/sys/fs/pipe-max-size r,
|
||||
@{PROC}/sys/net/core/somaxconn r,
|
||||
@{PROC}/sys/net/ipv4/conf/all/* rw,
|
||||
@{PROC}/sys/net/ipv4/conf/default/* rw,
|
||||
@{PROC}/sys/net/bridge/bridge-nf-call-iptables r,
|
||||
@{PROC}/sys/net/netfilter/* rw,
|
||||
@{PROC}/sys/kernel/keys/* r,
|
||||
@{PROC}/sys/kernel/panic rw,
|
||||
@{PROC}/sys/kernel/panic_on_oom rw,
|
||||
@{PROC}/sys/kernel/panic_on_oops rw,
|
||||
@{PROC}/sys/kernel/pid_max r,
|
||||
@{PROC}/sys/kernel/osrelease r,
|
||||
@{PROC}/sys/vm/overcommit_memory rw,
|
||||
@{PROC}/sys/vm/panic_on_oom r,
|
||||
@{PROC}/sys/net/netfilter/* rw,
|
||||
@{PROC}/sys/kernel/keys/* r,
|
||||
@{PROC}/sys/kernel/panic rw,
|
||||
@{PROC}/sys/kernel/panic_on_oom rw,
|
||||
@{PROC}/sys/kernel/panic_on_oops rw,
|
||||
@{PROC}/sys/kernel/pid_max r,
|
||||
@{PROC}/sys/kernel/osrelease r,
|
||||
@{PROC}/sys/vm/overcommit_memory rw,
|
||||
@{PROC}/sys/vm/panic_on_oom r,
|
||||
|
||||
@{sys}/class/net/ r,
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue