k8s.io/kubernetes@v1.29.3/test/images/apparmor-loader/README.md (about) 1 # AppArmor Profile Loader 2 3 This is a small proof-of-concept daemon to demonstrate how AppArmor profiles can be loaded onto 4 nodes of a Kubernetes cluster. It is not considered production ready, nor will it be supported as a 5 long-term solution. 6 7 ## Running the AppArmor Profile Loader 8 9 The [example-daemon.yaml](example-daemon.yaml) provides an example manifest for running the loader 10 as a cluster DaemonSet. In this example, the loader runs in a DaemonSet pod on each node in the 11 cluster, and periodically (every 30 seconds) polls for new profiles in the `apparmor-profiles` 12 configmap ([example manifest](example-configmap.yaml)). It is recommended to run the Daemon and 13 ConfigMap in a separate, restricted namespace: 14 15 $ kubectl create -f example-namespace.yaml 16 $ kubectl create -f example-configmap.yaml # Includes the k8s-nginx profile 17 $ kubectl create -f example-daemon.yaml 18 19 Check that the profile was loaded: 20 21 $ POD=$(kubectl --namespace apparmor get pod -o jsonpath="{.items[0].metadata.name}") 22 $ kubectl --namespace apparmor logs $POD 23 I0829 22:48:24.917263 1 loader.go:139] Polling /profiles every 30s 24 I0829 22:48:24.954295 1 loader.go:196] Loading profiles from /profiles/k8s-nginx: 25 Addition succeeded for "k8s-nginx". 26 I0829 22:48:24.954328 1 loader.go:100] Successfully loaded profiles: [k8s-nginx] 27 28 Trying running a pod with the loaded profile (requires Kubernetes >= v1.4): 29 30 $ kubectl create -f example-pod.yaml 31 # Verify that it's running with the new profile: 32 $ kubectl exec nginx-apparmor cat /proc/1/attr/current 33 k8s-nginx (enforce) 34 $ kubectl exec nginx-apparmor touch /tmp/foo 35 touch: cannot touch '/tmp/foo': Permission denied 36 error: error executing remote command: command terminated with non-zero exit code: Error executing in Docker Container: 1 37 38 39 ### Standalone 40 41 The loader go binary can also be run as a standalone binary on the host. It must be run with root 42 privileges: 43 44 sudo loader -logtostderr /path/to/profile/dir 45 46 Alternatively, it can be run with the supplied loader docker image: 47 48 PROFILES_PATH=/path/to/profile/dir 49 sudo docker run \ 50 --privileged \ 51 --detach=true \ 52 --volume=/sys:/sys:ro \ 53 --volume=/etc/apparmor.d:/etc/apparmor.d:ro \ 54 --volume=$PROFILES_PATH:/profiles:ro \ 55 --name=aa-loader \ 56 google/apparmor-loader:latest 57 58 ## Build the loader 59 60 The loader binary is a simple go program, and can be built with `make all-push WHAT=apparmor-loader` 61 (from test/images). 62 63 ## Limitations 64 65 The loader will not unload profiles that are removed, and will not update profiles that are changed. 66 This is by design, since there are nuanced issues with changing profiles that are in use.