Protect a Kubernetes Cluster with AppArmor

30 minutes
  • 2 Learning Objectives

About this Hands-on Lab

AppArmor is a great way to provide additional security within a Kubernetes cluster. This lab will allow you to practice your skills with using AppArmor in Kubernetes by installing AppArmor in a cluster and using it to secure some containers.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Enforce the AppArmor Profile

On both the control plane and worker servers, there is an AppArmor profile configuration file located at /home/cloud_user/apparmor-k8s-deny-write. Load the AppArmor profile represented in this file.

The profile is called k8s-deny-write. It prevents the container from being able to write anything to disk. You will need to load the profile on both the control plane and worker servers.

Configure the password-db Pod to Run Its Container Using the AppArmor Profile

On the control plane server, there is a Pod in the auth namespace called password-db. This Pod is writing sensitive password information to a log file. The Pod does not actually need to write to the disk in order to its job.

Apply the k8s-deny-write AppArmor profile to the Pod’s container to prevent it from being able to write any sensitive data to the container file system. There is a manifest file or this Pod located at /home/cloud_user/password-db-pod.yml. Once you have made your changes to the manifest file, delete the Pod and use the manifest to re-create it.

You can check the Pod’s log to see whether it is writing sensitive information to the disk.

Additional Resources

Your company, SecuriCorp, is using Kubernetes to run a variety of applications. Recently, hackers have been trying various techniques to break into the Kubernetes cluster and steal data.

Your developers have built a password-db application in the cluster which provides an API to a database of user passwords. This application runs in a Pod called password-db, and it handles sensitive data.

Recently, you discovered that this application sometimes writes sensitive password data to a debug log on the container file system. This isn't very good practice from a security standpoint, and your devs don't have time to address the issue right now.

Enable a no-write AppArmor profile that will prevent containers from being able to write to disk, then apply this profile to the password-db Pod's container. This will prevent this container from writing to disk, and will mitigate the risk of any sensitive data being written to disk by this application in the future.

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?