gitea-mirror/Pulse
1
0
Fork 0
mirror of https://github.com/rcourtman/Pulse.git synced 2026-02-18 00:17:39 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
2a8f55d71982e3f8c4b4492fec752baa14580fd1
Pulse/docs/security/SENSOR_PROXY_APPARMOR.md
rcourtman 2b48b0a459 feat: add --kube-include-all-deployments flag for Kubernetes agent 
Adds IncludeAllDeployments option to show all deployments, not just
problem ones (where replicas don't match desired). This provides parity
with the existing --kube-include-all-pods flag.

- Add IncludeAllDeployments to kubernetesagent.Config
- Add --kube-include-all-deployments flag and PULSE_KUBE_INCLUDE_ALL_DEPLOYMENTS env var
- Update collectDeployments to respect the new flag
- Add test for IncludeAllDeployments functionality
- Update UNIFIED_AGENT.md documentation

Addresses feedback from PR #855
2025-12-18 20:58:30 +00:00

1.6 KiB
Raw Blame History

🛡️ Sensor Proxy AppArmor (Optional)

Deprecated in v5: pulse-sensor-proxy is deprecated and not recommended for new deployments. Use pulse-agent --enable-proxmox for temperature monitoring. This document is retained for existing installations during the migration window.

Secure pulse-sensor-proxy with AppArmor and Seccomp.

🛡️ AppArmor

Profile: security/apparmor/pulse-sensor-proxy.apparmor

  • Allows: Configs, logs, SSH keys, outbound TCP/SSH.
  • Blocks: Raw sockets, module loading, ptrace, exec outside allowlist.

Install & Enforce

curl -fsSL https://raw.githubusercontent.com/rcourtman/Pulse/main/security/apparmor/pulse-sensor-proxy.apparmor | \
  sudo tee /etc/apparmor.d/pulse-sensor-proxy >/dev/null
sudo apparmor_parser -r /etc/apparmor.d/pulse-sensor-proxy
sudo aa-enforce pulse-sensor-proxy

🔒 Seccomp

Profile: security/seccomp/pulse-sensor-proxy.json

  • Allows: Go runtime syscalls, network, file IO.
  • Blocks: Everything else (returns EPERM).

Systemd (Classic)

Add to service override:

[Service]
AppArmorProfile=pulse-sensor-proxy
SystemCallFilter=@system-service
SystemCallAllow=accept;connect;recvfrom;sendto;recvmsg;sendmsg;sendmmsg;getsockname;getpeername;getsockopt;setsockopt;shutdown

Containers (Docker/Podman)

curl -fsSL https://raw.githubusercontent.com/rcourtman/Pulse/main/security/seccomp/pulse-sensor-proxy.json | \
  sudo tee /etc/pulse-sensor-proxy.seccomp.json >/dev/null

podman run --seccomp-profile /etc/pulse-sensor-proxy.seccomp.json ...

🔍 Verification

Check status with aa-status or journalctl -t auditbeat.