Apparmor

Step 0: Install Apparmor

sudo apt install apparmor-easyprof apparmor-notify apparmor-utils certspotter

Step 1: Lets Create a Simple Apparmor Profile.

Ensure this profile should be available in the system where ever the pod with apparmor annotation is running

sudo apparmor_parser -q <<EOF
#include <tunables/global>

profile k8s-apparmor-example-deny-write flags=(attach_disconnected) {
  #include <abstractions/base>

  file,

  # Deny all file writes.
  deny /** w,
}
EOF

Step 2: Verify the status of the profile:

sudo aa-status

Step 3: Sample YAML File based on Host PID:

mkdir apparmor && cd apparmor

cat <<EOF >> hello-armor.yml
apiVersion: v1
kind: Pod
metadata:
  name: hello-apparmor
  annotations:
    container.apparmor.security.beta.kubernetes.io/hello: localhost/k8s-apparmor-example-deny-write
spec:
  containers:
  - name: hello
    image: busybox
    command: [ "sh", "-c", "echo 'Hello AppArmor!' && sleep 1h" ]
EOF

Step 4: Apply the Pod Manifest file

kubectl apply -f hello-armor.yml

Verify if the Pod is running or not. If you see the Pod in "Blocked" State, identify why the pod is blocked.

kubectl get pods

If the Apparmor profile is not present in the Worker node on which the pod is running, the pod go to blocked state.

In Case if your pod is running then verify the logs of pod

kubectl logs hello-apparmor

Step 5: Verification Stage

kubectl exec -it hello-apparmor -- sh

Inside the Pod Shell, run the following

touch /tmp/file.txt

You should get permission denied Error, when you run the above command.

List the Apparmor Profiles

sudo cat /sys/kernel/security/apparmor/profiles

Remove the Apparmore Profile

sudo apparmor_parser -R <<EOF
#include <tunables/global>

profile k8s-apparmor-example-deny-write flags=(attach_disconnected) {
  #include <abstractions/base>

  file,

  # Deny all file writes.
  deny /** w,
}
EOF

Disbale Apparmor

sudo systemctl stop apparmor.service
sudo systemctl disable apparmor.service