7. Workload Considerations : AppArmor


  • AppArmor is less complete and simple. 
  • It is available on Debian and SUSE Linux distribution. 
  • It supplements UNIX Discretionary Access Control (DAC) model. It provides MAC (Mandatory Access Control). 
  • Its learning mode (complain mode) is similar to SELinux's Permissive mode. Here, profile violations are logged but not prevented. This log can be turn into profile. 
  • No security labels are needed, so it is filesystem-neutral 
  • Administrator can associate security profile to program. 
  • Unlike SELinux: instead of direct labeling of objects, security policy is applied to pathnames.

K8s

  • AppArmor profile must be available at worker node, so pod can use it. With Ansible or Puppet, AppArmor profile can be added to worker node, during installation. OR use Daemonset. 
  • To disable AppArmor for entire cluster, pass --feature-gate=AppArmor=false. 
  • AppArmor profiles can be managed using PSP
  • If AppArmor kernel module is available then

sudo systemctl [start|stop|restart|status] apparmor

  • To load or not load at boot time

sudo systemctl [enable|disable] apparmor

  • To see current status

sudo apparmor_status

Modes

1. Enforced mode

Default mode

aa-enforce

2. Complain

also called learning mode

aa-complain 

Profiles

- Pre-package profile

- install along with new software install

- install with AppArmor package: apparmor-profile

- stored at /etc/apparmor.d

- "man apparmor.d" provides documentation. 

Other utilities

  • apparmor-notify: summary for AppArmor log messages
  • disable: unload a single profile. and not load during boot
  • easyprof: Help to setup a basic AppArmor profile for a program
  • logprof: Scan log. If any AppArmor event found, that is not covered by existing profiles, then suggest. 
  • genprof: Createa new complain mode profile, using existing profiles as input parameter. Run logprof to scan AppArmor events. All entries in system log has option (A) Allow (D) Deny (I) Ignore (N) New (G) Glob last piece (Q) Quit.  until Quit is selected. then new people is created. 
  • BaneAppArmor profile generator for docker container. It automatically install profile in directory /etc/apparmor.d/containers/

List all AppArmor utilities using

rpm -qil apparmor-utils | grep bin

Access control to assign in AppArmor profile

  • r : Read
  • w : Write
  • m : Memory map as executable
  • k : File locking
  • l : Create hard links
  • ix : Execute and inherit this profile
  • Px : Execute another profile after cleaning environment
  • Ux : Execute unconfined after cleaning environment.

--feature-gates=AppArmor=t|f

Add this metadata to pod

container.apparmor.security.beta.kubernetes.io/<container_name>: <profile_ref>

Note: This is container name, not pod name

This profile name, not profile file name

E.g. container.apparmor.security.beta.kubernetes.io/hello: localhost/k8s-apparmor-example-deny-write

We should have some file at /etc/apparmod.d/ path, which should this profile k8s-apparmor-example-deny-write

profile_ref

- runtime/default

- localhost/<profile_name>

- unconfined 

For PSP: 

apparmor.security.beta.kubernetes.io/defaultProfileName: <profile_ref>

apparmor.security.beta.kubernetes.io/allowedProfileNames: <profile_ref>[,others...]

0 comments:

Post a Comment