Posts

The aim of this doc is, as the title suggests, to load an apparmor profile to a Kubernetes node and see that it is loaded. What it is not is an explainer of AppArmor or how to create profiles. For that there are a few resources at the bottom which will be more useful.

Install the tools

I’m using the AppArmor utils to manipulate AppArmor here. First thing you will want to do is open a shell on the kubernetes node. An important thing to note here is if there are multiple nodes on your cluster then you will have to do this individually for each node so it is easiest to scale your cluster down to a single node if possible. Opening the shell is different depending on where you cluster is, I’m using GKE on Google’s cloud so I use this command to connect.

gcloud beta compute ssh --zone "<zone>" "<node_name>" --project "<project_name>"

The tools themselves are installed using the following command.

apt-get update && apt-get install -y apparmor apparmor-utils

Note: An important thing to note is this node is running ubuntu. You can use the toolbox command if it is available to use apt-get below.

Check it is working using the following which will list the profiles that already exist on the node. You may need root access using sudo su

aa-status

Setting up the Profile

AppArmor profiles are stored in the /etc/apparmor.d directory so cd into that folder and create a new file. I am using the name k8s-apparmor-deny-write. As the name suggests the profile will block all writes to