k8s.io/kubernetes@v1.29.3/test/images/apparmor-loader/README.md

k8s.io/kubernetes@v1.29.3/test/images/apparmor-loader/README.md (about)

     1  # AppArmor Profile Loader
     2  
     3  This is a small proof-of-concept daemon to demonstrate how AppArmor profiles can be loaded onto
     4  nodes of a Kubernetes cluster. It is not considered production ready, nor will it be supported as a
     5  long-term solution.
     6  
     7  ## Running the AppArmor Profile Loader
     8  
     9  The [example-daemon.yaml](example-daemon.yaml) provides an example manifest for running the loader
    10  as a cluster DaemonSet. In this example, the loader runs in a DaemonSet pod on each node in the
    11  cluster, and periodically (every 30 seconds) polls for new profiles in the `apparmor-profiles`
    12  configmap ([example manifest](example-configmap.yaml)). It is recommended to run the Daemon and
    13  ConfigMap in a separate, restricted namespace:
    14  
    15      $ kubectl create -f example-namespace.yaml
    16      $ kubectl create -f example-configmap.yaml # Includes the k8s-nginx profile
    17      $ kubectl create -f example-daemon.yaml
    18  
    19  Check that the profile was loaded:
    20  
    21      $ POD=$(kubectl --namespace apparmor get pod -o jsonpath="{.items[0].metadata.name}")
    22      $ kubectl --namespace apparmor logs $POD
    23      I0829 22:48:24.917263       1 loader.go:139] Polling /profiles every 30s
    24      I0829 22:48:24.954295       1 loader.go:196] Loading profiles from /profiles/k8s-nginx:
    25      Addition succeeded for "k8s-nginx".
    26      I0829 22:48:24.954328       1 loader.go:100] Successfully loaded profiles: [k8s-nginx]
    27  
    28  Trying running a pod with the loaded profile (requires Kubernetes >= v1.4):
    29  
    30      $ kubectl create -f example-pod.yaml
    31      # Verify that it's running with the new profile:
    32      $ kubectl exec nginx-apparmor cat /proc/1/attr/current
    33      k8s-nginx (enforce)
    34      $ kubectl exec nginx-apparmor touch /tmp/foo
    35      touch: cannot touch '/tmp/foo': Permission denied
    36      error: error executing remote command: command terminated with non-zero exit code: Error executing in Docker Container: 1
    37  
    38  
    39  ### Standalone
    40  
    41  The loader go binary can also be run as a standalone binary on the host. It must be run with root
    42  privileges:
    43  
    44      sudo loader -logtostderr /path/to/profile/dir
    45  
    46  Alternatively, it can be run with the supplied loader docker image:
    47  
    48      PROFILES_PATH=/path/to/profile/dir
    49      sudo docker run \
    50          --privileged \
    51          --detach=true \
    52          --volume=/sys:/sys:ro \
    53          --volume=/etc/apparmor.d:/etc/apparmor.d:ro \
    54          --volume=$PROFILES_PATH:/profiles:ro \
    55          --name=aa-loader \
    56          google/apparmor-loader:latest
    57  
    58  ## Build the loader
    59  
    60  The loader binary is a simple go program, and can be built with `make all-push WHAT=apparmor-loader`
    61  (from test/images).
    62  
    63  ## Limitations
    64  
    65  The loader will not unload profiles that are removed, and will not update profiles that are changed.
    66  This is by design, since there are nuanced issues with changing profiles that are in use.