Profile Management¶
AppArmor profiles can be managed using SPO CRD (apparmorprofile
). A
user can load, update, and delete a profile.
Load a profile in enforce mode across all hosts using SPO¶
Apply the profile.
$ vi apparmorprofile.yaml --- apiVersion: security-profiles-operator.x-k8s.io/v1alpha1 kind: AppArmorProfile metadata: name: test-profile annotations: description: Block writing to any files in the disk. spec: policy: | #include <tunables/global> profile test-profile flags=(attach_disconnected) { #include <abstractions/base> file, # Deny all file writes. deny /** w, } $ kubectl apply -f apparmorprofile.yaml
Verify if
apparmorprofile
resource is created.$ kubectl get apparmorprofiles NAME AGE test-profile 3d5h
Verify if test-profile is loaded in enforce mode on a host.
$ aa-status apparmor module is loaded. 20 profiles are loaded. 13 profiles are in enforce mode. /usr/bin/man /usr/lib/ipsec/charon /usr/lib/ipsec/stroke /usr/sbin/ntpd cri-containerd.apparmor.d docker-default lsb_release man_filter man_groff nvidia_modprobe nvidia_modprobe//kmod tcpdump test-profile 7 profiles are in complain mode. /usr/bin/keystone-wsgi-public /usr/sbin/sssd /usr/sbin/sssd//null-/usr/libexec/sssd/sssd_be /usr/sbin/sssd//null-/usr/libexec/sssd/sssd_nss /usr/sbin/sssd//null-/usr/libexec/sssd/sssd_pam
Load a profile in complain mode across all hosts using SPO¶
Apply the profile.
$ vi apparmorprofile.yaml --- apiVersion: security-profiles-operator.x-k8s.io/v1alpha1 kind: AppArmorProfile metadata: name: test-profile annotations: description: Block writing to any files in the disk. spec: policy: | #include <tunables/global> profile test-profile flags=(attach_disconnected, complain) { #include <abstractions/base> file, # Deny all file writes. deny /** w, } $ kubectl apply -f apparmorprofile.yaml
Verify if apparmorprofile resource is created.
$ kubectl get apparmorprofiles NAME AGE test-profile 3d5h
Verify if test-profile is loaded in complain mode on a host.
aa-status apparmor module is loaded. 20 profiles are loaded. 12 profiles are in enforce mode. /usr/bin/man /usr/lib/ipsec/charon /usr/lib/ipsec/stroke /usr/sbin/ntpd cri-containerd.apparmor.d docker-default lsb_release man_filter man_groff nvidia_modprobe nvidia_modprobe//kmod tcpdump 6 profiles are in complain mode. /usr/bin/keystone-wsgi-public /usr/sbin/sssd /usr/sbin/sssd//null-/usr/libexec/sssd/sssd_be /usr/sbin/sssd//null-/usr/libexec/sssd/sssd_nss /usr/sbin/sssd//null-/usr/libexec/sssd/sssd_pam test-profile 0 processes have profiles defined. 0 processes are in enforce mode. 0 processes are in complain mode. 0 processes are unconfined but have a profile defined.
Update a profile across all hosts using SPO¶
Update the policy section of the
.yaml
used to create the profile.$ vi apparmorprofile.yaml --- apiVersion: security-profiles-operator.x-k8s.io/v1alpha1 kind: AppArmorProfile metadata: name: test-profile annotations: description: Block writing to any files in the disk. spec: policy: | #include <tunables/global> profile test-profile flags=(attach_disconnected, complain) { #include <abstractions/base> file, # Deny all file writes. deny /** w, network inet tcp, network inet udp, capability chown, }
Update the profile.
$ kubectl apply -f apparmorprofile.yaml
Verify if the test-profile is added. Check the test-profile content at
/etc/apparmor.d
on a host.$ cat test-profile #include <tunables/global> profile test-profile flags=(attach_disconnected, complain) { #include <abstractions/base> file, # Deny all file writes. deny /** w, network inet tcp, network inet udp, capability chown, }
Delete a profile across all hosts using SPO¶
List the AppArmor profiles.
$ kubectl get apparmorprofiles.security-profiles-operator.x-k8s.io NAME AGE test-profile 4d1h
Delete the AppArmor profiles using
.yaml
file as follows:$ kubectl delete -f apparmorprofile.yaml
OR using imperative commands:
$ kubectl delete apparmorprofiles.security-profiles-operator.x-k8s.io <profile-name>
Verify if apparmorprofile resource is deleted.
$ kubectl get apparmorprofiles.security-profiles-operator.x-k8s.io No resources found in default namespace.
Verify if test-profile is removed from a host using
aa-status
.$ aa-status apparmor module is loaded. 20 profiles are loaded. 13 profiles are in enforce mode. /usr/bin/man /usr/lib/ipsec/charon /usr/lib/ipsec/stroke /usr/sbin/ntpd cri-containerd.apparmor.d docker-default lsb_release man_filter man_groff nvidia_modprobe nvidia_modprobe//kmod tcpdump 7 profiles are in complain mode. /usr/bin/keystone-wsgi-public /usr/sbin/sssd /usr/sbin/sssd//null-/usr/libexec/sssd/sssd_be /usr/sbin/sssd//null-/usr/libexec/sssd/sssd_nss /usr/sbin/sssd//null-/usr/libexec/sssd/sssd_pam