security-profiles-operator: AppArmor does not work

As AppArmor not in GA so not sure if it is BUG or feature request

What happened:

AppArmor does not work on AKS per the steps in installation manual. I have tested this on vanilla Kubernetes 1.28.2 and AKS 1.27.3

What you expected to happen:

Expect AppArmor in effect

How to reproduce it (as minimally and precisely as possible):

kubectl -nsecurity-profiles-operator patch spod spod  --type=merge -p='{"spec":{"webhookOptions":[{"name":"binding.spo.io","namespaceSelector":{"matchExpressions":[{"key":"control-plane","operator":"DoesNotExist"}]}},{"name":"recording.spo.io","namespaceSelector":{"matchExpressions":[{"key":"control-plane","operator":"DoesNotExist"}]}}]}}'

kubectl -n security-profiles-operator patch spod spod --type=merge -p '{"spec":{"verbosity":1}}'

kubectl -n security-profiles-operator patch spod spod --type=merge -p '{"spec":{"enableAppArmor":true}}'

AppArmorProfile.yaml

---
apiVersion: security-profiles-operator.x-k8s.io/v1alpha1
kind: AppArmorProfile
metadata:
  name: test-profile
  annotations:
    description: Block writing to any files in the disk.
spec:
  policy: |
    #include <tunables/global>

    profile test-profile flags=(attach_disconnected) {
      #include <abstractions/base>

      file,

      # Deny all file writes.
      deny /** w,
    }

Deployment.yaml Following tested with localhost/ as below as well as without

apiVersion: apps/v1
kind: Deployment
metadata:
  name: test-pod
  annotations:
    container.apparmor.security.beta.kubernetes.io/test-container: localhost/test-profile
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  strategy: {}
  template:
    metadata:
      creationTimestamp: null
      labels:
        app: nginx
    spec:
      containers:
      - image: nginx
        name: test-container

No error on writes

# kubectl get pods 
NAME                        READY   STATUS    RESTARTS   AGE
test-pod-6494887549-d6t68   2/2     Running   0          12s
# kubectl exec -it test-pod-6494887549-d6t68 -- bash
root@test-pod-6494887549-d6t68:/# mkdir kl
root@test-pod-6494887549-d6t68:/# rmdir kl
root@test-pod-6494887549-d6t68:/# exit

Anything else we need to know?:

Environment:

K8S: 1.28.2 AKS: 1.27.3

About this issue

  • Original URL
  • State: closed
  • Created 7 months ago
  • Comments: 15 (5 by maintainers)

Most upvoted comments

may be related to this https://github.com/MicrosoftDocs/azure-docs/issues/114123

+1
sybadm on Dec 8, 2023
Read more comments on GitHub
← secrets-store-csi-driver: Missing metrics in GKE
security-profiles-operator: AppArmor profiles not loading on worker nodes in K8S cluster →