Install Security Profiles Operator (SPO)¶
In order to apply the profiles to a particular pod, the profiles need to be available to the host machine where the pod is launched. Security Profile Operator (SPO, https://github.com/kubernetes-sigs/security-profiles-operator) provides AppArmor profile management (i.e. loading/unloading) across Kubernetes nodes. SPO defines an AppArmor Profile CRD, such that end users’ can define AppArmor profiles for SPO to manage.
SPO is packaged as a system application and is managed using system application commands. To install SPO, use the following procedure.
Prerequisites
AppArmor should be enabled on the host(s) (described in Enable/Disable AppArmor on a Host), where workloads need to be protected using AppArmor.
Procedure
Locate the SPO tarball in
/usr/local/share/applications/helm
.For example:
/usr/local/share/applications/helm/security-profiles-operator-<version>.tgz
Upload the application.
~(keystone_admin)]$ system application-upload /usr/local/share/applications/helm/security-profiles-operator-<version>.tgz
Verify the SPO tarball has been uploaded.
~(keystone_admin)]$ system application-list
Apply the application.
~(keystone_admin)]$ system application-apply security-profiles-operator
Monitor the status.
~(keystone_admin)]$ watch -n 5 system application-list OR ~(keystone_admin)]$ watch kubectl get pods -n security-profiles-operator
The configuration of the installed security-profiles-operator
application
is as follows:
security-profiles-operator
Runs as a deployment, replica count of 3 on the controller(s).
security-profiles-operator-webhook
Runs as a deployment, replica count of 3.
spod
Runs as a daemonset on every Kubernetes host (i.e., controller(s) and worker(s)), where application pods can be scheduled.
Remove Security Profiles Operator (SPO)¶
Run the following commands to remove SPO. This will remove pods and other resources created by the application installation.
Note
This procedure does not remove the apparmor profiles created using SPO, You can delete the profiles previously created by following the procedure described in Delete a profile across all hosts using SPO.
If an AppArmor profile is deleted, all pods with that AppArmor profile annotation should be either removed or updated to remove the annotation.
Remove the application.
~(keystone_admin)]$ system application-remove security-profiles-operator
Delete the application.
~(keystone_admin)]$ system application-delete security-profiles-operator
Note
To remove AppArmor from a StarlingX deployment requires removing SPO as specified in this section and then disabling AppArmor on all the host(s). For more details, see Enable/Disable AppArmor on a Host.
Disable AppArmor from a StarlingX deployment¶
To disable AppArmor from a deployment, need to follow below steps:
Remove SPO system app (refer to Remove Security Profiles Operator (SPO)).
Disable AppArmor on host(s) (refer to Enable/Disable AppArmor on a Host).