- Take me to the Lab
Solutions Lab - AppArmor:
-
AppArmor is in beta
betastate as of version 1.20. -
Is the AppArmor module loaded in node01?
Run $ ssh node01 $ aa-status -
How many AppArmor profiles have been loaded in total currently?
Run $ ssh node01 $ aa-status 52 -
How many AppArmor profiles have been loaded in enforce mode currently?
Run $ ssh node01 $ aa-status 15 -
A pod called nginx has been deployed in the default namespace. What is the status of this pod?
Run Exit from node01 using $ exit Then get the pods using and examine the status $ kubectl get pods Blocked -
Why is this pod in a blocked state?
Inspect the error message for this pod by running $ kubectl describe pod nginx AppArmor profile not loaded -
What is the name of the AppArmor profile used by this pod?
Inspect the failure message for this pod by running $ kubectl describe pod nginx Custom nginx -
Load the AppArmor profile called custom-nginx on node01 and make sure that it is in enforced mode. The profile file is called usr.sbin.nginx located in the default AppArmor profiles directory.
$ ssh node01 $ apparmor_parser -q /etc/apparmor.d/usr.sbin.nginx Custom nginx -
Recreate the nginx pod. The pod definition file is created at
/root/CKS/custom-nginx.yaml.$ exit $ kubectl apply -f /root/CKS/custom-nginx.yaml -
Which tabs are you able to access?
Public and restricted site -
Let's fix that. Another profile is created at
/etc/apparmor.d/usr.sbin.nginx-updatedwhich prevents reads on the restricted directory inside the container. Use this AppArmor profile and recreate this container.make sure restricted-nginx is loaded by running $ ssh node01 $ aa-status Run it using $ apparmor_parser -q /etc/apparmor.d/usr.sbin.nginx-updated Validate that it is running using $ aa-status Update the pod YAML file's annotation with the restricted-nginx apparmor profile and then recreate the pod.