Securing a pod with AppArmor

As AppArmor is still in beta, you specify the metadata as annotations and not as bonafide fields; when it gets out of beta that will change.

To apply a profile to a container, add the following annotation:

container.apparmor.security.beta.kubernetes.io/<container-name>: <profile-ref>

The pofile reference can be either the default profile, runtime/default, or a profile file on the host localhost/<profile-name>.

Here is a sample profile that prevents writing to files:

#include <tunables/global> 
 
profile k8s-apparmor-example-deny-write flags=(attach_disconnected) { 
  #include <abstractions/base> 
 
  file, 
 
  # Deny all file writes. 
  deny /** w, 
}

AppArmor is not a Kubernetes resource, so the format is not the YAML or JSON you're familiar with.

To verify that the profile was attached correctly, check the attributes of process 1:

kubectl exec <pod-name> cat /proc/1/attr/current

Pods can be scheduled on any node in the cluster by default. This means the profile should be loaded into every node. This is a classic use case for DaemonSet.

Table of Contents for Securing a pod with AppArmor

Create new playlist

Sign In

Sign Up

Table of Contents for
Securing a pod with AppArmor