AppArmor is a great way to provide additional security within a Kubernetes cluster. This lab will allow you to practice your skills with using AppArmor in Kubernetes by installing AppArmor in a cluster and using it to secure some containers.
Successfully complete this lab by achieving the following learning objectives:
- Enforce the AppArmor Profile
On both the control plane and worker servers, there is an AppArmor profile configuration file located at
/home/cloud_user/apparmor-k8s-deny-write. Load the AppArmor profile represented in this file.
The profile is called
k8s-deny-write. It prevents the container from being able to write anything to disk. You will need to load the profile on both the control plane and worker servers.
- Configure the password-db Pod to Run Its Container Using the AppArmor Profile
On the control plane server, there is a Pod in the
password-db. This Pod is writing sensitive password information to a log file. The Pod does not actually need to write to the disk in order to its job.
k8s-deny-writeAppArmor profile to the Pod’s container to prevent it from being able to write any sensitive data to the container file system. There is a manifest file or this Pod located at
/home/cloud_user/password-db-pod.yml. Once you have made your changes to the manifest file, delete the Pod and use the manifest to re-create it.
You can check the Pod’s log to see whether it is writing sensitive information to the disk.