kubernetes-sigs/security-profiles-operator

GitHub: kubernetes-sigs/security-profiles-operator

Stars: 848 | Forks: 135

# Kubernetes Security Profiles Operator [![build](https://static.pigsec.cn/wp-content/uploads/repos/2026/06/70f20b6eb1235646.svg)](https://github.com/kubernetes-sigs/security-profiles-operator/actions/workflows/build.yml) [![test](https://static.pigsec.cn/wp-content/uploads/repos/2026/06/7e88ef6998235647.svg)](https://github.com/kubernetes-sigs/security-profiles-operator/actions/workflows/test.yml) [![coverage](https://codecov.io/gh/kubernetes-sigs/security-profiles-operator/branch/main/graph/badge.svg?token=37VIWSZ1ZT)](https://codecov.io/gh/kubernetes-sigs/security-profiles-operator) [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/5368/badge)](https://bestpractices.coreinfrastructure.org/projects/5368) [![OCI security profiles](https://img.shields.io/badge/oci%3A%2F%2F-security%20profiles-blue?logo=kubernetes&logoColor=white)](https://github.com/orgs/security-profiles/packages) The _Security Profiles Operator_ (SPO) is an out-of-tree Kubernetes enhancement which aims to make it easier to create and use SELinux, seccomp and AppArmor security profiles in Kubernetes clusters. - [Installation and Usage](installation-usage.md) - [Container Images](https://console.cloud.google.com/gcr/images/k8s-staging-sp-operator/GLOBAL/security-profiles-operator) - [Release Process](./release.md) - [Testgrid Dashboard](https://testgrid.k8s.io/sig-node-security-profiles-operator) ## Features This is the parity of features across various security profiles supported by the SPO: | | Seccomp | SELinux | AppArmor | |-------------------------------------------|---------|---------|----------| | Profile CRD | Yes | Yes | Yes | | Install profiles in cluster | Yes | Yes | Yes | | Remove unused profiles from cluster | Yes | Yes | Yes | | Profile Recording (audit logs) | Yes | Yes | No | | Profile Recording (eBPF) | Yes | No | Yes | | Profile Binding to container images | Yes | No | No | | Audit log enrichment | Yes | Yes | Yes | | Audit In-Pod Activity JSON log enrichment | Yes | No | No | For information about the security model and what permissions each feature requires, refer to SPO's [security model](security-model.md). ## Resources The motivation behind the project can be found in the corresponding [RFC][0]. - [Architecture](doc/architecture.svg) - [Use Stories](doc/user-stories.md) - [Personas](doc/personas.md) Related Kubernetes Enhancement Proposals (KEPs) which have direct influence on this project: - [Promote seccomp to GA][1] - [Add ConfigMap support for seccomp custom profiles][2] - [Add KEP to create seccomp built-in profiles and add complain mode][3] Next to those KEPs, here are existing approaches for security profiles in the Kubernetes world: - [AppArmor Loader][4] - [OpenShift's Machine config operator, in charge of file management and security profiles on hosts][5] - [seccomp-config][6] ### Code of conduct

标签：客户端加密