Feb. 12, 2023, 8:29 p.m.
k8s Operator, Could You Help Me Place SysCall?
This week we look at Custom Seccomp Profiles (CSP) and Security Profiles Operator (SPO), and future WebAssembly (Wasm) Operators.
Fudge Sunday by Jay Cuthrell
This week we look at Custom Seccomp Profiles (CSP) and Security Profiles Operator (SPO), and future WebAssembly (Wasm) Operators.
Music: Jim Croce - “Operator” (1972)
Note: This edition of the newsletter is exploring some of the newest features from Buttondown for oEmbed. Love it? Hate it? If you prefer footnotes and hyperlinks over rich media inclusions or image click through inclusions, your feedback would be appreciated.
Getting Informed
This newsletter and my blog have described the progression of application deployment options from operating systems installed on bare metal servers to hypervisors allowing virtual machines to the emergence and growing adoption of containers for cloud-native apps.
Along the way there are corresponding progressions in how security and observability are implemented in each of these deployment options — including the growth in use of Operators covered in our last issue.
Smooth k8s Operator
This week we take a look at growing interest in Kubernetes (k8s) Operators.
If you consider the growth of containerized environments and squint hard, you’ll appreciate the sage security and observability wisdom from the cult classic movie Airplane:
“Striker, listen, and you listen close: flying a plane is no different than riding a bicycle, just a lot harder to put baseball cards in the spokes.” – Rex Kramer
Isn’t that the way they say it goes? 🎶
Joking side, does an observability security goal within containerized environments lend itself to this comedic analogy of attempting to put baseball cards into the blades of a modern jet engine?
First, imagine a way to protect an application by restricting specific actions that can be taken within a container. Now, behold the brave new world of Seccomp Profiles from Sascha Grunert:
Next, imagine the ability to be on the lookout for gnarly system calls (syscalls) attempting a means to escalate privilege for the operating system. Now, consider the practical application of the seccomp notifier — once again — from Sascha Grunert.
Finding suspicious syscalls with the seccomp notifier | Kubernetes
Authors: Sascha Grunert Debugging software in production is one of the biggest challenges we have to face in our containerized environments. Being able to understand the impact of the available security options, especially when it comes to configuring our deployments, is one of the key aspects to make the default security in Kubernetes stronger. We have all those logging, tracing and metrics data already at hand, but how do we assemble the information they provide into something human readable and actionable?
You can keep the dime 🎶
Now, while this adversarial concern might sound extravagant or exotic, sadly it isn’t — so, to connect those dots, this newsletter will feature a “Swing Out Sister” security equivalent to Rickroll related issue in the future. Until then, to learn more about k8s Security Profiles Operator, you can visit the GitHub repository:
GitHub - kubernetes-sigs/security-profiles-operator: The Kubernetes Security Profiles Operator
The Kubernetes Security Profiles Operator. Contribute to kubernetes-sigs/security-profiles-operator development by creating an account on GitHub.
Once there, you can also review the SPO Roadmap:
Next, to get a feel for how these design choices came together and how the roadmap may evolve, you can look into the Slack community for k8s: #security-profiles-operator
Indeed, you can find the timeline over the past few years for including gRPC API and familiar contributors.
Add GRPC API support by saschagrunert · Pull Request #469 · kubernetes-sigs/security-profiles-operator · GitHub
What type of PR is this? /kind feature What this PR does / why we need it: This allows us to create custom data transferred between containers within SPOD daemonset pods. For now the API is not bei…
WIP: PoC for Recording seccomp profiles by rhafer · Pull Request #140 · kubernetes-sigs/security-profiles-operator · GitHub
What type of PR is this? /kind feature What this PR does / why we need it: This PoC adds a controller to the controller that will collect seccomp profiles generated by the seccomp-bpf oci-hook. It …
Now, let’s connect the dots. Last year, this newsletter covered WebAssembly (Wasm).
Cadillac WebAssembly Line
Albert King - “Cadillac Assembly Line” (1980) Getting Informed This week we take a look at WebAssembly (Wasm)1 and the implications of ubiquitous2 stack-…
And…
Free and Open source Software Developers’ European Meeting (FOSDEM) 2023 content is appearing online now. This means you can learn about memory and resource hungry k8s hippos and the possibilities of Wasm Operators from Merlijn Sebrechts:
FOSDEM 2023 - Lightweight Kubernetes Operators with WebAssembly
So, what will be the next big thing in k8s Operators, security, observability, and automation?
Until then… Place your bets!
Work Plug
As a reminder, after a +25 year walkabout, I’m an IBMer (again). For 2023, in “Work Plug”, I’ll share a new link each week that is educational, accessible, and relevant to platform engineering from fellow IBMers1 and alumni in the wider IBM Community.
Stay tuned!
Disclosure
I am linking to my disclosure.
-
Shout out to Bryan Truong ↩