/kapparmor

AppArmor profiles loader to deploy and update them through a Kubernetes daemonset

Primary LanguageGoApache License 2.0Apache-2.0

1. Create app 1. CodeQL Go Report Card codecov OpenSSF Best Practices

Kapparmor

kapparmor logo

Apparmor-loader project to deploy profiles through a kubernetes daemonset.

This app provide dynamic loading and unloading of AppArmor profiles to a Kubernetes cluster through a configmap.
The app doesn't need an operator and it will be managed by a DaemonSet filtering the linux nodes to schedule the app pod.
The custom profiles deployed in the configmap will be copied in a directory (/etc/apparmor.d/custom by default) since apparmor_parser needs the profiles definitions also to remove them. Once you will deploy a configmap with different profiles, Kapparmor will notice the missing ones and it will remove them from the apparmor cache and from the node directory.
If you modify only the content of a profile leaving the same name, Kapparmor should notice it anyway since a byte comparison is done when configmap profiles names and local profiles names match.

  1. The CD pipeline will
    • deploy a configmap in the security namespace containing all the profiles versioned in the current project
    • it will apply a daemonset on the linux nodes
  2. The configmap will contain multiple apparmor profiles
    • The custom profiles names HAVE to start with the same PROFILE_NAME_PREFIX, currently this defaults to "custom.".
    • The name of the file should be the same as the name of the profile.
  3. The configmap will be polled every POLL_TIME seconds to move them into PROFILES_DIR host path and then enable them.

You can view which profiles are loaded on a node by checking the /sys/kernel/security/apparmor/profiles, so its parent will need to be mounted in the pod.

This work was inspired by kubernetes/apparmor-loader.

Install

You can install the helm chart like this

helm repo add tuxerrante https://tuxerrante.github.io/kapparmor
helm upgrade kapparmor --install --atomic --timeout 120s --debug --set image.tag=pr-16 tuxerrante/kapparmor

Constraints

  • Profiles are validated on the profile keyword presence before of a opening curly bracket {.
    It must be a unattached profiles.
  • Profile names have to start with custom. and to be equal to their filename.
  • Polling time should be a value between 1 and 86400 seconds (24 hours).
  • There could be issues if you start the daemonsets on "dirty" nodes, where some old custom profiles were left after stopping or uninstalling Kapparmor.
    E.G: By default if you delete a pod all the profiles should be automatically deleted from that node, but the app crashes during the process.

Testing

There is a whole project meant to be a demo for this one, have fun.

Or you can find more info in docs/testing.md

Release process

  1. Commits and tags should be signed.
  2. Update config/config file with the right app, chart and go version.
  3. Do the same in the chart manifest charts/kapparmor/Chart.yaml.
  4. Test it on a local cluster with ./build scripts and following docs/testing.md instructions (go test, go lint, helm lint, helm template, helm install dry run...).
  5. Update the chart Changelog with the most relevant commits of this release, this will automatically fill the release page.
  6. Open the PR.
  7. Merge.
  8. Tag.

External useful links

Credits