Skip to content

flavio/podlock

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

142 Commits
.devcontainer
.devcontainer
 
 
.github
.github
 
 
api/v1alpha1
api/v1alpha1
 
 
charts/podlock
charts/podlock
 
 
cmd
cmd
 
 
coverage
coverage
 
 
docs
docs
 
 
examples
examples
 
 
hack
hack
 
 
internal
internal
 
 
pkg/constants
pkg/constants
 
 
test
test
 
 
updatecli
updatecli
 
 
.dockerignore
.dockerignore
 
 
.gitignore
.gitignore
 
 
.golangci.yml
.golangci.yml
 
 
CONTRIBUTING.md
CONTRIBUTING.md
 
 
Dockerfile.controller
Dockerfile.controller
 
 
Dockerfile.nri
Dockerfile.nri
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
PROJECT
PROJECT
 
 
README.md
README.md
 
 
Tiltfile
Tiltfile
 
 
antora-playbook.yml
antora-playbook.yml
 
 
artifacthub-repo.yml
artifacthub-repo.yml
 
 
codecov.yml
codecov.yml
 
 
commitlint.config.js
commitlint.config.js
 
 
cr.yaml
cr.yaml
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
package-lock.json
package-lock.json
 
 
package.json
package.json
 
 
tilt-settings.yaml.example
tilt-settings.yaml.example
 
 

Repository files navigation

PodLock

PodLock restrict process execution and file access in Kubernetes Pods using the Landlock Linux Kernel LSM.

Kubernetes users can define PodLock profiles that specify restrictions for processes running inside containers. Each profile describes the restrictions to apply to individual binaries within a container. File system access (read, write, and execute permissions) of individual binaries within a container can be controlled by PodLock.

For example, given the following profile:

apiVersion: podlock.kubewarden.io/v1alpha1
kind: LandlockProfile
metadata:
  name: nginx
  namespace: default
spec:
  profilesByContainer:
    nginx:
      "/usr/sbin/nginx":
        readExec:
          - /lib
          - /lib64
        readOnly:
          - /usr/share/nginx
        readWrite:
          - /tmp

This profile will limit the processes started by the /usr/bin/nginx, they will be given read and exec rights to the system libraries (/lib and /lib64).

Access to /usr/share/nginx is going to be read only, while /tmp will also be writable.

Landlock works in a "deny all" approach. Because of that, the nginx process will not be able to read other parts of the filesytem. It won't be able to start other binaries from the system, unless they are under the lib directories (to which it has no write access).

Documentation

Full project documentation is available at https://flavio.github.io/podlock.

Current Limitations

  • Updating a profile does not automatically trigger a rollout of the associated pods, potentially requiring manual intervention.
  • Currently, no mechanisms are available to observe or log violations that are enforced by PodLock.
  • A learning mode to assist in profile creation and validation is not implemented yet.

About

Restrict process execution and file access in Kubernetes Pods with Landlock

flavio.github.io/podlock/

Topics

kubernetes kubernetes-security landlock

Resources

Readme

License

Apache-2.0 license

Contributing

Contributing
Activity

Stars

10 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases 5

podlock v0.1.0 Latest
Jan 26, 2026
+ 4 releases

Packages

 
 
 

Contributors

Languages