Layer: services

Module: kubernetes

Description:

policy for kubernetes

Interfaces:

kubernetes_admin(
	
		domain
		
			,
		
		role
		
	)

Summary

All of the rules required to administrate a kubernetes environment.

Parameters

Parameter:	Description:
domain	Domain allowed access.
role	Role allowed access.

kubernetes_container(
	
		domain
		
	)

Summary

Associated the specified domain to be a domain which is capable of operating as a container domain which can be spawned by kubernetes. engine.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kubernetes_container_engine(
	
		domain
		
	)

Summary

Associated the specified domain to be a domain which is capable of operating as a kubernetes container engine.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kubernetes_domtrans_kubeadm(
	
		domain
		
	)

Summary

Execute kubeadm in the kubeadm domain.

Parameters

Parameter:	Description:
domain	Domain allowed to transition.

kubernetes_domtrans_kubelet(
	
		domain
		
	)

Summary

Execute kubelet in the kubelet domain.

Parameters

Parameter:	Description:
domain	Domain allowed to transition.

kubernetes_dontaudit_search_engine_keys(
	
		domain
		
	)

Summary

Do not audit attempts to search kubernetes container engine keys.

Parameters

Parameter:	Description:
domain	Domain to not audit.

kubernetes_get_unit_status(
	
		domain
		
	)

Summary

Get the status of kubernetes systemd units.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kubernetes_getpgid_containers(
	
		domain
		
	)

Summary

Allow the specified domain to get the process group ID of all kubernetes containers.

Parameters

Parameter:	Description:
domain	Domain allowed to transition.

kubernetes_kubelet_kill(
	
		domain
		
	)

Summary

Allow kubelet to send a kill signal to the specified domain.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kubernetes_list_plugins(
	
		domain
		
	)

Summary

Allow the specified domain to list the contents of kubernetes plugin directories.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kubernetes_list_tmpfs(
	
		domain
		
	)

Summary

List the contents of kubernetes tmpfs directories.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kubernetes_manage_config_files(
	
		domain
		
	)

Summary

Manage kubernetes config files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kubernetes_manage_plugin_files(
	
		domain
		
	)

Summary

Allow the specified domain to manage kubernetes plugin files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kubernetes_manage_runtime_dirs(
	
		domain
		
	)

Summary

Manage kubernetes runtime directories.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kubernetes_manage_runtime_files(
	
		domain
		
	)

Summary

Manage kubernetes runtime files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kubernetes_manage_runtime_sock_files(
	
		domain
		
	)

Summary

Manage kubernetes runtime sock files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kubernetes_manage_runtime_symlinks(
	
		domain
		
	)

Summary

Manage kubernetes runtime symlinks.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kubernetes_manage_tmpfs_dirs(
	
		domain
		
	)

Summary

Manage kubernetes tmpfs directories.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kubernetes_manage_tmpfs_files(
	
		domain
		
	)

Summary

Manage kubernetes tmpfs files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kubernetes_manage_tmpfs_symlinks(
	
		domain
		
	)

Summary

Manage kubernetes tmpfs symlinks.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kubernetes_map_runtime_files(
	
		domain
		
	)

Summary

Memory map kubernetes runtime files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kubernetes_mounton_config_dirs(
	
		domain
		
	)

Summary

Mount on kubernetes config directories.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kubernetes_mounton_config_files(
	
		domain
		
	)

Summary

Mount on kubernetes config files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kubernetes_mounton_runtime_dirs(
	
		domain
		
	)

Summary

Mount on kubernetes runtime directories.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kubernetes_mountpoint(
	
		domain
		
	)

Summary

Allow the specified file type to be mounted on by kubernetes.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kubernetes_read_config(
	
		domain
		
	)

Summary

Read kubernetes config files and symlinks.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kubernetes_read_container_engine_state(
	
		domain
		
	)

Summary

Read the process state (/proc/pid) of kubernetes container engines.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kubernetes_read_kubelet_state(
	
		domain
		
	)

Summary

Read the process state (/proc/pid) of kubelet.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kubernetes_read_tmpfs_files(
	
		domain
		
	)

Summary

Read kubernetes tmpfs files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kubernetes_read_tmpfs_symlinks(
	
		domain
		
	)

Summary

Read kubernetes tmpfs symlinks.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kubernetes_relabelfrom_tmpfs_dirs(
	
		domain
		
	)

Summary

Relabel directories from the kubernetes tmpfs type.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kubernetes_relabelfrom_tmpfs_files(
	
		domain
		
	)

Summary

Relabel files from the kubernetes tmpfs type.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kubernetes_relabelfrom_tmpfs_symlinks(
	
		domain
		
	)

Summary

Relabel symlinks from the kubernetes tmpfs type.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kubernetes_reload_unit(
	
		domain
		
	)

Summary

Reload kubernetes systemd units.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kubernetes_run_engine_bpf(
	
		domain
		
	)

Summary

Run kubernetes container engine bpf programs.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kubernetes_run_kubeadm(
	
		domain
		
			,
		
		role
		
	)

Summary

Execute kubeadm in the kubeadm domain, and allow the specified role the kubeadm domain.

Parameters

Parameter:	Description:
domain	Domain allowed to transition.
role	The role to be allowed the kubeadm domain.

kubernetes_run_kubelet(
	
		domain
		
			,
		
		role
		
	)

Summary

Execute kubelet in the kubelet domain, and allow the specified role the kubelet domain.

Parameters

Parameter:	Description:
domain	Domain allowed to transition.
role	The role to be allowed the kubelet domain.

kubernetes_rw_container_engine_fifo_files(
	
		domain
		
	)

Summary

Read and write FIFO files from kubernetes container engines.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kubernetes_search_config(
	
		domain
		
	)

Summary

Search kubernetes config directories.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kubernetes_search_plugin_dirs(
	
		domain
		
	)

Summary

Allow the specified domain to search through the contents of kubernetes plugin directories.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kubernetes_start_unit(
	
		domain
		
	)

Summary

Start kubernetes systemd units.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kubernetes_stop_unit(
	
		domain
		
	)

Summary

Stop kubernetes systemd units.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kubernetes_stream_connect_kubelet(
	
		domain
		
	)

Summary

Connect to kubelet over a unix stream socket.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kubernetes_use_kubelet_fds(
	
		domain
		
	)

Summary

Inherit and use file descriptors from kubelet.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kubernetes_watch_config_dirs(
	
		domain
		
	)

Summary

Allow the specified domain to watch kubernetes config directories.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kubernetes_watch_config_files(
	
		domain
		
	)

Summary

Allow the specified domain to watch kubernetes config files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kubernetes_watch_plugin_dirs(
	
		domain
		
	)

Summary

Allow the specified domain to watch kubernetes plugin directories.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kubernetes_watch_runtime_files(
	
		domain
		
	)

Summary

Watch kubernetes runtime files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kubernetes_watch_tmpfs_dirs(
	
		domain
		
	)

Summary

Watch kubernetes tmpfs directories.

Parameters

Parameter:	Description:
domain	Domain allowed access.

kubernetes_watch_tmpfs_files(
	
		domain
		
	)

Summary

Watch kubernetes tmpfs files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

Return

Templates:

kubernetes_kubectl_role(
	
		role_prefix
		
			,
		
		user_domain
		
			,
		
		user_exec_domain
		
			,
		
		role
		
	)

Summary

Role access for kubectl.

Parameters

Parameter:	Description:
role_prefix	The prefix of the user role (e.g., user is the prefix for user_r).
user_domain	User domain for the role.
user_exec_domain	User exec domain for execute and transition access.
role	Role allowed access

Return