AppArmor
AppArmor
Intro
AppArmor is a security technology that can be used to enforce fine-grained access controls and limit the capabilities of individual processes or containers in a Kubernetes environment.
AppArmor primarily used to restrict filesystem, network and raw-sockets access from a Container. Apparmor is available as a kernal module, and most linux distro got it loaded by default (from exam standpoint, you're not expected to download/install apparmor binary on any of the systems, it'll be available as a pre-installed kernal module).
It is configured through profiles tuned to allow the access needed by a specific program or container, such as Linux capabilities, network access, file permissions, etc.
A quick check if Apparmor is loaded as a kernal module on a given system could be as below.
$ apparmor_status #or
$ aa-status
apparmor module is loaded.
Implementation
Create a sample AppArmor profile anywhere on the system (on the intended Worker Node).
nano /var/tmp/my-apparmor-profile
Let's use the same AppArmor profile available at official Kubernetes documentation. Paste the below code to the editor.
#include <tunables/global>
profile k8s-apparmor-example-deny-write flags=(attach_disconnected) {
#include <abstractions/base>
file,
# Deny all file writes.
deny /** w,
}
This profile denies all file writes on local file system.
Load the profile
apparmor_parser -v /var/tmp/my-apparmor-profile
Addition succeeded for "k8s-apparmor-example-deny-write".
Optionally, you can verify if the above profile is part of the currently loaded profiles or not.
~# aa-status |grep k8s
k8s-apparmor-example-deny-write
Since we've created an AppArmor profile under /var/tmp/ location, we'll need to move the profile under /etc/apparmor.d/ location. That is primarily to use relative path in our Pod manifest. The other option is to configure the AppArmor profile directly under /etc/apparmor.d/
~# mv /var/tmp/my-apparmor-profile /etc/apparmor.d/
Now, let's apply this AppArmor profile to a Pod or a Deployment.
apiVersion: v1
kind: Pod
metadata:
name: hello-apparmor
annotations:
container.apparmor.security.beta.kubernetes.io/hello: localhost/k8s-apparmor-example-deny-write
spec:
containers:
- name: hello
image: busybox:1.28
command: [ "sh", "-c", "echo 'Hello AppArmor!' && sleep 1h" ]
Side notes:
The syntax of "annotation" is as follows:
container.apparmor.security.beta.kubernetes.io/<container name>: <path to apparmor profile>
<container name> refers to the "container name" and not the "Pod" name.
"annotations" is a must since AppArmor is still a beta feature.
Note that you must have to use the AppArmor Profile name (k8s-apparmor-example-deny-write), and not the file-name (my-apparmor-profile) of the AppArmor Profile in the annotations.
Optionally, you can schedule this Pod to a specific Node using nodeName selector where the AppArmor profile is loaded.
apiVersion: v1
kind: Pod
metadata:
name: hello-apparmor
annotations:
container.apparmor.security.beta.kubernetes.io/hello: localhost/k8s-apparmor-example-deny-write
spec:
containers:
- name: hello
image: busybox:1.28
command: [ "sh", "-c", "echo 'Hello AppArmor!' && sleep 1h" ]
#This Pod will be scheduled to "w1" Node, and AppArmor profile must be loaded prior to schedule the Pod on the Node.
nodeName: w1
Verify the setup
- Let's first check the current status of the Container first.
# k get pod hello-apparmor -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
hello-apparmor 1/1 Running 0 65s 10.244.1.61 w1 <none> <none>
Check which AppArmor profile is loaded inside the container.
# kubectl exec hello-apparmor -- cat /proc/1/attr/current
k8s-apparmor-example-deny-write (enforce)
Try to create a file named 'test' under /tmp directory inside the container.
# k exec hello-apparmor -- touch /tmp/test
touch: /tmp/test: Permission denied
command terminated with exit code 1
As we can see, AppArmor is successfully preventing the container to write to the file-system.
Tip
AppArmor is a kernal module, and hence it's Node specific. In the exam, make sure you're loading the AppArmor profile on the RIGHT node.