Install Security Profiles Operator (SPO)

In order to apply the profiles to a particular pod, the profiles need to be available to the host machine where the pod is launched. Security Profile Operator (SPO, https://github.com/kubernetes-sigs/security-profiles-operator) provides AppArmor profile management (i.e. loading/unloading) across Kubernetes nodes. SPO defines an AppArmor Profile CRD, such that end users’ can define AppArmor profiles for SPO to manage.

SPO is packaged as a system application and is managed using system application commands. To install SPO, use the following procedure.

Prerequisites

AppArmor should be enabled on the host(s) (described in Enable/Disable AppArmor on a Host), where workloads need to be protected using AppArmor.

Procedure

  1. Locate the SPO tarball in /usr/local/share/applications/helm.

    For example:

    /usr/local/share/applications/helm/security-profiles-operator-<version>.tgz
    
  2. Upload the application.

    ~(keystone_admin)]$ system application-upload /usr/local/share/applications/helm/security-profiles-operator-<version>.tgz
    
  3. Verify the SPO tarball has been uploaded.

    ~(keystone_admin)]$ system application-list
    
  4. Apply the application.

    ~(keystone_admin)]$ system application-apply security-profiles-operator
    
  5. Monitor the status.

    ~(keystone_admin)]$ watch -n 5 system application-list
    
    OR
    
    ~(keystone_admin)]$ watch kubectl get pods -n security-profiles-operator
    

The configuration of the installed security-profiles-operator application is as follows:

security-profiles-operator

Runs as a deployment, replica count of 3 on the controller(s).

security-profiles-operator-webhook

Runs as a deployment, replica count of 3.

spod

Runs as a daemonset on every Kubernetes host (i.e., controller(s) and worker(s)), where application pods can be scheduled.

Remove Security Profiles Operator (SPO)

Run the following commands to remove SPO. This will remove pods and other resources created by the application installation.

Note

This procedure does not remove the apparmor profiles created using SPO, You can delete the profiles previously created by following the procedure described in Delete a profile across all hosts using SPO.

If an AppArmor profile is deleted, all pods with that AppArmor profile annotation should be either removed or updated to remove the annotation.

  1. Remove the application.

    ~(keystone_admin)]$ system application-remove security-profiles-operator
    
  2. Delete the application.

    ~(keystone_admin)]$ system application-delete security-profiles-operator
    

Note

To remove AppArmor from a StarlingX deployment requires removing SPO as specified in this section and then disabling AppArmor on all the host(s). For more details, see Enable/Disable AppArmor on a Host.

Disable AppArmor from a StarlingX deployment

To disable AppArmor from a deployment, need to follow below steps:

  1. Remove SPO system app (refer to Remove Security Profiles Operator (SPO)).

  2. Disable AppArmor on host(s) (refer to Enable/Disable AppArmor on a Host).