discovery-engine
cascade
discovery-engine | cascade | |
---|---|---|
2 | 1 | |
28 | 54 | |
- | - | |
7.6 | 7.4 | |
7 months ago | 14 days ago | |
Go | Rust | |
- | MIT License |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
discovery-engine
-
SELinux is unmanageable; just turn it off if it gets in your way
KubeArmor (https://github.com/kubearmor) makes implementing SELinux policies easy for your host / k8s workloads.
Please do checkout the project and provide your valuable feedback.
All of our policies for SElinux are Auto generated using https://github.com/accuknox/discovery-engine
Writing policies by hand is nearly impossible, error prone and that is the exact problem we are trying to solve - to make SELinux and AppArmor easy for K8s workloads and now host based workloads.
-
KubeArmor adds support for SELinux
Auto Policy discovery for KubeArmor: https://github.com/accuknox/auto-policy-discovery
cascade
-
SELinux is unmanageable; just turn it off if it gets in your way
From my relatively basic understanding of SELinux, it seems like has a lot of powerful mechanisms for enforcing security policy, but a lackluster interface for actually showing violations or creating robust policy.
Luckily, I think there’s a lot of community work coming up to make these policies easier to write and more robust.
For example: https://github.com/dburgener/cascade
What are some alternatives?
refpolicy - SELinux Reference Policy v2
cilium-cli - CLI to install, manage & troubleshoot Kubernetes clusters running Cilium
systemd - The systemd System and Service Manager
libdropprivs - Example code (will be library) for dropping privileges
dind - Docker in Docker
firejail - Linux namespaces and seccomp-bpf sandbox
sysbox - An open-source, next-generation "runc" that empowers rootless containers to run workloads such as Systemd, Docker, Kubernetes, just like VMs.