starlingx/docs
Code Issues Proposed changes
docs/doc/source/security/kubernetes/profile-management-a8df19c86a5d.rst
Elisamara Aoki Goncalves ace0287d7a AppArmor Support (dsR8) 
Story: 2010310
Task: 47620

Signed-off-by: Elisamara Aoki Goncalves <elisamaraaoki.goncalves@windriver.com>
Change-Id: I97065a0d0c345bb32663e1ff631c5c4ca524231d
2023-04-25 15:53:17 -03:00

258 lines
7.1 KiB
ReStructuredText
Raw Blame History

.. _profile-management-a8df19c86a5d:
==================
Profile Management
==================
AppArmor profiles can be managed using |SPO| |CRD| (``apparmorprofile``). A
user can load, update, and delete a profile.
.. _load-a-profile-in-enforce-mode-across-all-hosts-using-spo:
Load a profile in enforce mode across all hosts using SPO
---------------------------------------------------------
#. Apply the profile.
.. code-block:: none
$ vi apparmorprofile.yaml
---
apiVersion: security-profiles-operator.x-k8s.io/v1alpha1
kind: AppArmorProfile
metadata:
name: test-profile
annotations:
description: Block writing to any files in the disk.
spec:
policy: |
#include <tunables/global>
profile test-profile flags=(attach_disconnected) {
#include <abstractions/base>
file,
# Deny all file writes.
deny /** w,
}
$ kubectl apply -f apparmorprofile.yaml
#. Verify if ``apparmorprofile`` resource is created.
.. code-block:: none
$ kubectl get apparmorprofiles
NAME AGE
test-profile 3d5h
#. Verify if test-profile is loaded in enforce mode on a host.
.. code-block:: none
$ aa-status
apparmor module is loaded.
20 profiles are loaded.
13 profiles are in enforce mode.
/usr/bin/man
/usr/lib/ipsec/charon
/usr/lib/ipsec/stroke
/usr/sbin/ntpd
cri-containerd.apparmor.d
docker-default
lsb_release
man_filter
man_groff
nvidia_modprobe
nvidia_modprobe//kmod
tcpdump
test-profile
7 profiles are in complain mode.
/usr/bin/keystone-wsgi-public
/usr/sbin/sssd
/usr/sbin/sssd//null-/usr/libexec/sssd/sssd_be
/usr/sbin/sssd//null-/usr/libexec/sssd/sssd_nss
/usr/sbin/sssd//null-/usr/libexec/sssd/sssd_pam
Load a profile in complain mode across all hosts using SPO
----------------------------------------------------------
#. Apply the profile.
.. code-block:: none
$ vi apparmorprofile.yaml
---
apiVersion: security-profiles-operator.x-k8s.io/v1alpha1
kind: AppArmorProfile
metadata:
name: test-profile
annotations:
description: Block writing to any files in the disk.
spec:
policy: |
#include <tunables/global>
profile test-profile flags=(attach_disconnected, complain) {
#include <abstractions/base>
file,
# Deny all file writes.
deny /** w,
}
$ kubectl apply -f apparmorprofile.yaml
#. Verify if apparmorprofile resource is created.
.. code-block:: none
$ kubectl get apparmorprofiles
NAME AGE
test-profile 3d5h
#. Verify if test-profile is loaded in complain mode on a host.
.. code-block:: none
aa-status
apparmor module is loaded.
20 profiles are loaded.
12 profiles are in enforce mode.
/usr/bin/man
/usr/lib/ipsec/charon
/usr/lib/ipsec/stroke
/usr/sbin/ntpd
cri-containerd.apparmor.d
docker-default
lsb_release
man_filter
man_groff
nvidia_modprobe
nvidia_modprobe//kmod
tcpdump
6 profiles are in complain mode.
/usr/bin/keystone-wsgi-public
/usr/sbin/sssd
/usr/sbin/sssd//null-/usr/libexec/sssd/sssd_be
/usr/sbin/sssd//null-/usr/libexec/sssd/sssd_nss
/usr/sbin/sssd//null-/usr/libexec/sssd/sssd_pam
test-profile
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
Update a profile across all hosts using SPO
-------------------------------------------
#. Update the policy section of the ``.yaml`` used to create the profile.
.. code-block:: none
$ vi apparmorprofile.yaml
---
apiVersion: security-profiles-operator.x-k8s.io/v1alpha1
kind: AppArmorProfile
metadata:
name: test-profile
annotations:
description: Block writing to any files in the disk.
spec:
policy: |
#include <tunables/global>
profile test-profile flags=(attach_disconnected, complain) {
#include <abstractions/base>
file,
# Deny all file writes.
deny /** w,
network inet tcp,
network inet udp,
capability chown,
}
#. Update the profile.
.. code-block:: none
$ kubectl apply -f apparmorprofile.yaml
#. Verify if the test-profile is added. Check the test-profile content at
``/etc/apparmor.d`` on a host.
.. code-block:: none
$ cat test-profile
#include <tunables/global>
profile test-profile flags=(attach_disconnected, complain) {
#include <abstractions/base>
file,
# Deny all file writes.
deny /** w,
network inet tcp,
network inet udp,
capability chown,
}
.. _delete-a-profile-across-all-hosts-using-spo:
Delete a profile across all hosts using SPO
-------------------------------------------
#. List the AppArmor profiles.
.. code-block:: none
$ kubectl get apparmorprofiles.security-profiles-operator.x-k8s.io
NAME AGE
test-profile 4d1h
#. Delete the AppArmor profiles using ``.yaml`` file as follows:
.. code-block:: none
$ kubectl delete -f apparmorprofile.yaml
OR using imperative commands:
.. code-block:: none
$ kubectl delete apparmorprofiles.security-profiles-operator.x-k8s.io <profile-name>
#. Verify if apparmorprofile resource is deleted.
.. code-block:: none
$ kubectl get apparmorprofiles.security-profiles-operator.x-k8s.io
No resources found in default namespace.
#. Verify if test-profile is removed from a host using ``aa-status``.
.. code-block:: none
$ aa-status
apparmor module is loaded.
20 profiles are loaded.
13 profiles are in enforce mode.
/usr/bin/man
/usr/lib/ipsec/charon
/usr/lib/ipsec/stroke
/usr/sbin/ntpd
cri-containerd.apparmor.d
docker-default
lsb_release
man_filter
man_groff
nvidia_modprobe
nvidia_modprobe//kmod
tcpdump
7 profiles are in complain mode.
/usr/bin/keystone-wsgi-public
/usr/sbin/sssd
/usr/sbin/sssd//null-/usr/libexec/sssd/sssd_be
/usr/sbin/sssd//null-/usr/libexec/sssd/sssd_nss
/usr/sbin/sssd//null-/usr/libexec/sssd/sssd_pam
View Git Blame Copy Permalink