kube-apparmor-manager

command module

v0.0.6 Latest Latest Go to latest Published: Oct 17, 2022 License: Apache-2.0 Imports: 7 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/sysdiglabs/kube-apparmor-manager

Links

Open Source Insights

README ¶

kube-apparmor-manager

Manage AppArmor profiles for Kubernetes cluster

Behind the Scenes

AppArmorProfile CRD is created and AppArmorProfile objects are stored in etcd.
Actual AppArmor profiles will be created(updated) across all worker nodes through synchronizing with AppArmorProfile objects.

AppArmorProfile Object Explained

apiVersion: crd.security.sysdig.com/v1alpha1
kind: AppArmorProfile
metadata:
  name: apparmorprofile-sample
spec:
  rules: |
    # This is the default deny mode of AppArmor profile.
    # List the allow rules here separated by new line character.
    
    # allow few read/write activities
    allow /etc/* r,
    allow /tmp/* rw,

    # allow few commands execution
    allow /bin/echo mrix,
    allow /bin/sleep mrix,
    allow /bin/cat mrix,
  enforced: true # set profile to enforcement mode if true (complain mode if false)

Install as a Krew Plugin

Follow the instructions to install krew. Then run the following command:

kubectl krew install apparmor-manager

The plugin will be available as kubectl apparmor-manager.

Configure Environment

SSH_USERNAME: SSH username to access worker nodes (default: admin)
SSH_PERM_FILE: SSH private key to access worker ndoes (default: $HOME/.ssh/id_rsa)
SSH_PASSPHRASE: SSH passphrase (only applicable if the private key is passphrase protected)

Usage

Usage:
  kube-apparmor-manager [command]

Available Commands:
  enabled     Check AppArmor status on worker nodes
  enforced    Check AppArmor profile enforcement status on worker nodes
  help        Help about any command
  init        Install CRD in the cluster and AppArmor services on worker nodes
  sync        Synchronize the AppArmor profiles from the Kubernetes database (etcd) to worker nodes

Example Output

AppArmor enabled status

$ ./kube-apparmor-manager enabled
+-------------------------------+---------------+----------------+--------+------------------+
|           NODE NAME           |  INTERNAL IP  |  EXTERNAL IP   |  ROLE  | APPARMOR ENABLED |
+-------------------------------+---------------+----------------+--------+------------------+
| ip-172-20-45-132.ec2.internal | 172.20.45.132 | 54.91.xxx.xx   | master | false            |
| ip-172-20-54-2.ec2.internal   | 172.20.54.2   | 54.82.xx.xx    | node   | true             |
| ip-172-20-58-7.ec2.internal   | 172.20.58.7   | 18.212.xxx.xxx | node   | true             |
+-------------------------------+---------------+----------------+--------+------------------+

AppArmor enforced profiles

./kube-apparmor-manager enforced
+-------------------------------+--------+------------------------------------------------------+
|           NODE NAME           |  ROLE  |                  ENFORCED PROFILES                   |
+-------------------------------+--------+------------------------------------------------------+
| ip-172-20-45-132.ec2.internal | master |                                                      |
| ip-172-20-54-2.ec2.internal   | node   | /usr/sbin/ntpd,apparmorprofile-sample,docker-default |
| ip-172-20-58-7.ec2.internal   | node   | /usr/sbin/ntpd,apparmorprofile-sample,docker-default |
+-------------------------------+--------+------------------------------------------------------+

Sync

When ever there is change to AppArmorProfile object, run sync to synchronize across all the worker nodes.

$ ./kube-apparmor-manager sync
**** Host: 54.82.xx.xx:22 ****
** Execute command: echo 'profile apparmorprofile-sample flags=(attach_disconnected) {
	allow /etc/* r,
	allow /tmp/* rw,
	allow /bin/echo mrix,
	allow /bin/sleep mrix,
	allow /bin/cat mrix,
}' > /tmp/apparmorprofile-sample **

** Execute command: mv /tmp/apparmorprofile-sample /etc/apparmor.d/apparmorprofile-sample **

**** Host: 54.82.xx.xx:22 ****
** Execute command: aa-enforce /etc/apparmor.d/apparmorprofile-sample **
Setting /etc/apparmor.d/apparmorprofile-sample to enforce mode.

**** Host: 18.212.xxx.xxx:22 ****
** Execute command: echo 'profile apparmorprofile-sample flags=(attach_disconnected) {
	allow /etc/* r,
	allow /tmp/* rw,
	allow /bin/echo mrix,
	allow /bin/sleep mrix,
	allow /bin/cat mrix,
}' > /tmp/apparmorprofile-sample **

** Execute command: mv /tmp/apparmorprofile-sample /etc/apparmor.d/apparmorprofile-sample **

**** Host: 18.212.xxx.xxx:22 ****
** Execute command: aa-enforce /etc/apparmor.d/apparmorprofile-sample **
Setting /etc/apparmor.d/apparmorprofile-sample to enforce mode.

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

main.go

Directories ¶

Path	Synopsis
aa
commands
api
types/v1alpha1
client
clientset
v1alpha1
types
utils

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL