adelorenzo/kubesolo-os
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 2 Wiki Activity

feat: add security hardening, AppArmor, and ARM64 Raspberry Pi support (Phase 6)
Some checks failed
CI / Go Tests (push) Has been cancelled
Details
CI / Build Go Binaries (amd64, linux, linux-amd64) (push) Has been cancelled
Details
CI / Build Go Binaries (arm64, linux, linux-arm64) (push) Has been cancelled
Details
CI / Shellcheck (push) Has been cancelled
Details

Browse Source 
Security hardening: bind kubeconfig server to localhost, mount hardening
(noexec/nosuid/nodev on tmpfs), sysctl network hardening, kernel module
loading lock after boot, SHA256 checksum verification for downloads,
kernel AppArmor + Audit support, complain-mode AppArmor profiles for
containerd and kubelet, and security integration test.

ARM64 Raspberry Pi support: piCore64 base extraction, RPi kernel build
from raspberrypi/linux fork, RPi firmware fetch, SD card image with 4-
partition GPT and tryboot A/B mechanism, BootEnv Go interface abstracting
GRUB vs RPi boot environments, architecture-aware build scripts, QEMU
aarch64 dev VM and boot test.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Adolfo Delorenzo
2026-02-12 13:08:17 -06:00
parent 7abf0e0c04
commit efc7f80b65
38 changed files with 2512 additions and 96 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
update/cmd/apply.go
View File

@@ -4,7 +4,6 @@ import (
"fmt"
"log/slog"
"github.com/portainer/kubesolo-os/update/pkg/grubenv"
"github.com/portainer/kubesolo-os/update/pkg/image"
"github.com/portainer/kubesolo-os/update/pkg/partition"
)
@@ -18,7 +17,7 @@ func Apply(args []string) error {
return fmt.Errorf("--server is required")
}
env := grubenv.New(opts.GrubenvPath)
env := opts.NewBootEnv()
// Determine passive slot
passiveSlot, err := env.PassiveSlot()