starlingx/docs
Code Issues Proposed changes
docs/doc/source/security/kubernetes/apply-a-profile-to-a-pod-c2fa4d958dec.rst
Elisamara Aoki Goncalves ace0287d7a AppArmor Support (dsR8) 
Story: 2010310
Task: 47620

Signed-off-by: Elisamara Aoki Goncalves <elisamaraaoki.goncalves@windriver.com>
Change-Id: I97065a0d0c345bb32663e1ff631c5c4ca524231d
2023-04-25 15:53:17 -03:00

3.1 KiB
Raw Blame History

Apply a Profile to a Pod

AppArmor profiles are specified per-container.

  • AppArmor should be enabled on the host(s) (described in Enable/Disable AppArmor on a Host <enable-disable-apparmor-on-a-host-63a7a184d310>), where workloads need to be protected using AppArmor.
  • Security Profiles Operator (SPO) should be installed. As described in Install Security Profiles Operator (SPO) <install-security-profiles-operator-1b2f9a0f0108>.
  • A profile should be loaded using (described in Profile Management <profile-management-a8df19c86a5d>).

To specify the AppArmor profile to run a Pod container with, add an annotation to the Pod's metadata:

container.apparmor.security.beta.kubernetes.io/<container_name>: <profile_ref>

  1. Attach a profile to a container in the Pod.

    $ vi test-apparmor.yaml
apiVersion: v1
kind: Pod
metadata:
  name: test-apparmor
  annotations:
    # Tell Kubernetes to apply the AppArmor profile "test-profile".
    container.apparmor.security.beta.kubernetes.io/test-apparmor: localhost/test-profile
spec:
  containers:
  - name: test-apparmor
    image: busybox:1.28
    command: [ "sh", "-c", "echo 'Hello Test AppArmor!' && sleep 1h" ]

$ kubectl apply -f test-apparmor.yaml

  2. Verify that the container is actually running with that profile by checking its proc attr.

    $ kubectl exec test-apparmor -- cat /proc/1/attr/current
test-profile (complain)

  3. Verify if violations are blocked by writing to a file.

    $ kubectl exec test-apparmor -- touch /tmp/test
        touch: /tmp/test: Permission denied
        command terminated with exit code 1

Note

If a profile is not created/loaded on a host, kubelet will reject the pod.

$ kubectl get pods
NAME               READY   STATUS                 RESTARTS      AGE
hello-apparmor     0/1     CreateContainerError   0 (49m ago)   113m

Running kubectl describe pod hello-apparmor or kubect get event | grep hello-apparmor will show the following error:

Error: : failed to generate apparmor spec opts: apparmor profile not found test-profile

Any profile rules updates are reflected to the running pods.

Any profile deletion while it is attached to a pod will not have any impact on the pod state (It will show in running state). The application in the pod may not behave correctly as it might try to access /proc/self/attr/apparmor/exec which throw error as profile is not loaded.

For more details, refer to Restrict a Container's Access to Resources with AppArmor: Example.