AKS AppArmor Profile Loader Daemonset

One of the issues with utilizing AppArmor in an AKS cluster is loading your AppArmor profiles onto your nodes. This can be done via a simple DaemonSet, but without some precautions you can end up in a race condition where pods can be scheduled to your node before the AppArmor profiles have been loaded.

The easiest way to work around this in AKS is to taint the nodes on creation with a special taint, then use a DaemonSet that tolerates that taint to copy the profiles, load them, and then remove the taint, which will then allow regular workloads to schedule.

To use this project, you'll need to create a ConfigMap with all of your AppArmor profiles (an example profile is included). From the directory where your profiles are located, execute the following command to create the apparmor-profiles object:

kubectl -n kube-system create configmap apparmor-profiles --from-file=*.profile

This project makes use of initContainers to copy and load the profiles, with the regular container that stays running just being an unprivileged copy of the pause container that Kubernetes uses in each pod. This means that the resources consumed on the node after load are effectively nil, and security is increased by dropping privileges after the profiles are loaded.

To use this method, the following configuration is required:

A template to deploy an example cluster can be found here: Bicep/ARM.

Resources in the manifest:

  • ClusterRole apparmor-profile-loader: contains get and patch permissions on nodes to allow removal of taints.
  • ServiceAccount apparmor-profile-loader: used to authenticate to the Kubernetes API and remove the taint.
  • ClusterRoleBinding apparmor-profile-loader: associates the role to the service account.
  • ConfigMap apparmor-scripts: contains the shell script to untaint the node.
  • DaemonSet apparmor-profile-loader: this DaemonSet consists of 3 initContainers and a pause container image and is what actually loads the profiles.
    • init containers:
      • apparmor-profiles-copy: copies the profiles into /etc/apparmor.d/local/apparmor-profile-loader.
      • apparmor-profiles-load: uses apparmor_parser to load the profiles from /etc/apparmor.d/local/apparmor-profile-loader.
      • node-taint-remover: uses kubectl and the service account to remove the WaitingForAppArmorProfiles=true:NoSchedule taint from the node.
    • container:
      • pause: this container just sleeps without using any CPU or memory