mirror of
https://github.com/rcourtman/Pulse.git
synced 2026-02-18 00:17:39 +01:00
Adds IncludeAllDeployments option to show all deployments, not just problem ones (where replicas don't match desired). This provides parity with the existing --kube-include-all-pods flag. - Add IncludeAllDeployments to kubernetesagent.Config - Add --kube-include-all-deployments flag and PULSE_KUBE_INCLUDE_ALL_DEPLOYMENTS env var - Update collectDeployments to respect the new flag - Add test for IncludeAllDeployments functionality - Update UNIFIED_AGENT.md documentation Addresses feedback from PR #855
1.6 KiB
1.6 KiB
🛡️ Sensor Proxy AppArmor (Optional)
Deprecated in v5:
pulse-sensor-proxyis deprecated and not recommended for new deployments. Usepulse-agent --enable-proxmoxfor temperature monitoring. This document is retained for existing installations during the migration window.
Secure pulse-sensor-proxy with AppArmor and Seccomp.
🛡️ AppArmor
Profile: security/apparmor/pulse-sensor-proxy.apparmor
- Allows: Configs, logs, SSH keys, outbound TCP/SSH.
- Blocks: Raw sockets, module loading, ptrace, exec outside allowlist.
Install & Enforce
curl -fsSL https://raw.githubusercontent.com/rcourtman/Pulse/main/security/apparmor/pulse-sensor-proxy.apparmor | \
sudo tee /etc/apparmor.d/pulse-sensor-proxy >/dev/null
sudo apparmor_parser -r /etc/apparmor.d/pulse-sensor-proxy
sudo aa-enforce pulse-sensor-proxy
🔒 Seccomp
Profile: security/seccomp/pulse-sensor-proxy.json
- Allows: Go runtime syscalls, network, file IO.
- Blocks: Everything else (returns
EPERM).
Systemd (Classic)
Add to service override:
[Service]
AppArmorProfile=pulse-sensor-proxy
SystemCallFilter=@system-service
SystemCallAllow=accept;connect;recvfrom;sendto;recvmsg;sendmsg;sendmmsg;getsockname;getpeername;getsockopt;setsockopt;shutdown
Containers (Docker/Podman)
curl -fsSL https://raw.githubusercontent.com/rcourtman/Pulse/main/security/seccomp/pulse-sensor-proxy.json | \
sudo tee /etc/pulse-sensor-proxy.seccomp.json >/dev/null
podman run --seccomp-profile /etc/pulse-sensor-proxy.seccomp.json ...
🔍 Verification
Check status with aa-status or journalctl -t auditbeat.