I am trying to load an apparmor profile I created using GKE and some of the following instructions.
To apply the created app armor profile I followed this instructions:
which is just the apparmor parser applied to the node[s], and some follow up instructions to apply this same profile creation during restart of the node. Basically is running the following line:
/sbin/apparmor_parser --replace --write-cache /etc/apparmor.d/no_raw_net
and testing that a container with this profile is secured as expected.
As a second step I defined an environment variable with the apparmor profile name inside of an environment variable of the pod. As explained in here:
https://cloud.google.com/migrate/anthos/docs/troubleshooting/app-armor-profile
Basically is defining the pod in this way:
spec:
containers:
- image: gcr.io/my-project/my-container:v1.0.0
name: my-container
env:
- name: HC_APPARMOR_PROFILE
value: "apparmor-profile-name"
securityContext:
privileged: true
Inside of the host the apparmor profile works as expected. But I cannot provide this profile.
Also tried removing the security context section of the pod that is defined as true in the documentation for gke.
Last but not least I tried with k8s pod annotation which is a feature of k8s to set a profile to a given container as explained here:
https://kubernetes.io/docs/tutorials/security/apparmor/
with this the pod looks like this:
apiVersion: v1
kind: Pod
metadata:
name: hello-apparmor-2
annotations:
container.apparmor.security.beta.kubernetes.io/hello: localhost/k8s-apparmor-example-allow-write
spec:
containers:
- name: hello
image: busybox
command: [ "sh", "-c", "echo 'Hello AppArmor!' && sleep 1h" ]
but also had no good luck to apply the given profile.
Also tried to apply user-data config as a custom metadata for the cloud-init of the node instance, so it can add also the profile I created to app armor, and double check that the creation matters is not an issue but the edition of the cluster matadata is disable post creation of the cluster, and the creation of a new cluster node with the user-data is not allowed due to the fact that user-data is reserved for the container optimized os user data that will be defined by google.
No matter what I do I always end up either having unconfined profile for the current container or "cri-containerd.apparmor.d (enforce)" depending if the security context is set to true or not...
Do you have any advice on how can I provide the given profile to a pod in GKE?
If I understood the question correctly, seems like you are mixing the profile's filename with the profile name.
annotations:
container.apparmor.security.beta.kubernetes.io/<container-name>: localhost/<profile-name>
Here, <profile-name> is the name of the profile, it's not the same as the filename of the profile. Eg: in the below example filename is no_raw_net and profile name is no-ping.
cat > /etc/apparmor.d/no_raw_net <<EOF
#include <tunables/global>
profile no-ping flags=(attach_disconnected,mediate_deleted) {
#include <abstractions/base>
network inet tcp,
network inet udp,
network inet icmp,
deny network raw,
deny network packet,
file,
mount,
}
EOF