docs/doc/source/security/kubernetes/enable-disable-apparmor-on-a-host-63a7a184d310.rst
Elisamara Aoki Goncalves ace0287d7a AppArmor Support (dsR8)
Story: 2010310
Task: 47620

Signed-off-by: Elisamara Aoki Goncalves <elisamaraaoki.goncalves@windriver.com>
Change-Id: I97065a0d0c345bb32663e1ff631c5c4ca524231d
2023-04-25 15:53:17 -03:00

1.8 KiB

Enable/Disable AppArmor on a Host

By default, AppArmor is disabled on a host. It can be enabled in the kernel using system CLI commands as follows. In the below example AppArmor is enabled on controller-0.

Note

Enabling AppArmor can result in some performance degradation, see System Engineering Guidelines.

Note

On a multi-host configuration, AppArmor should be enabled on all hosts to ensure that the AppArmor profiles are loaded on any host where a pod may be scheduled by kubernetes.

  1. To enable AppArmor on a host, run the following commands:

    ~(keystone_admin)]$ system host-lock controller-0
    ~(keystone_admin)]$ system host-update controller-0 apparmor=enabled
    ~(keystone_admin)]$ system host-unlock controller-0

    Wait for controller-0 to reset and return to an unlocked/enabled/available state.

  2. Verify if AppArmor is enabled by running the following commands on the host.

    sysadmin@controller-0:~$ aa-enabled
    
    Yes

To disable AppArmor on a host, run the following commands.

  1. In the below example AppArmor is disabled on controller-0.

    ~(keystone_admin)]$ system host-lock controller-0
    ~(keystone_admin)]$ system host-update controller-0 apparmor=disabled
    ~(keystone_admin)]$ system host-unlock controller-0

    Wait for controller-0 to reset and return to an unlocked/enabled/available state.

  2. Verify if AppArmor is disabled by running the following commands on the host.

    sysadmin@controller-0:~$ aa-enabled
    
    No