This documentation is a todo list of things bouheki is planning to add or modify in the future.
Currently, bouheki can only restrict network communication, but we are thinking of supporting other LSM hook points.
Some files(e.g. /var/run/docker.sock) on mounted hosts can be escaped from the container.
I think this can be done by hooking lsm/sb_mount.
The more LSM hook points support, the more complicated the configuration becomes.
Therefore, we will prepare a separate configuration file for each hook point.
version: v1
kind: RestrictNetwork
config:
- cidr:
allow: []
deny: []
...We would like to be able to use multiple restriction settings (for example, we can have a restriction rule for each application), but it is difficult because we use eBPF Map.