bane is an AppArmor profile generator for docker containers. I needed AppArmor profiles on my GKE nodes.
CronJob or runOnce DaemonSets do not exist in Kubernetes yet ref kubernetes/kubernetes#36601 so this is what I think an elegant solution in the interim looks like.
There are three containers used in the DaemonSet example found in k8s/
k8s.gcr.io/git-sync: as expected, syncs a git repo to a volumejonpulsifer/bane: does afind /profile/dir/ -type f -name "*.toml" -exec bane {} \;- see
Dockerfilein the repo root - tl;dr
FROM alpine:edge+apk add apparmor@testing+COPY --from-builder=/go/bin/bane /sbin/
- see
k8s.gcr.io/pause: sleep (read more here)
So, the git container downloads some .toml files that bane will parse. bane parses them, then the DaemonSet sleeps to not consume cluster resources.
This enables continuous delivery of apparmor profiles to all your kubernetes nodes, deploys trigger a rolling update and the new profiles are applied.
This literally calls apparmor_parser a bunch of times so PR https://github.com/genuinetools/bane for $feature