-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add AppArmor Support #8299 #18858
base: master
Are you sure you want to change the base?
Add AppArmor Support #8299 #18858
Conversation
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: nnzv The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Welcome @nnzv! |
Hi @nnzv. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
Can one of the admins verify this patch? |
I'm checking if the kernel image from Buildroot supports AppArmor. Following the docs, I tried
|
CC: @tstromberg |
I've gone through the entire image building process to test out the new environment, following the documentation closely. It instructs to use the target
Seems like the only thing left is to tweak the kernel, you know, enabling those configurations I mentioned earlier. Once that's done, the feature should be ready, although we still need to do some testing regarding the use of AppArmor at the Kubernetes level. I'll roughly leave the final commands I used and some evidence. Note that the last "cat" command results in
|
@nnzv do you mind sharing what use cases this would help with ? are there any issues that users are already asking for this ? |
User @acoulon99 requested this feature some time ago via an issue (#8299). For detailed information on its use cases, you can refer to the Kubernetes documentation at https://kubernetes.io/docs/tutorials/security/apparmor, particularly the example of a profile that blocks all file write operations on nodes. It's surprising that Minikube hasn't incorporated this feature, considering that Kubernetes has supported AppArmor since version |
thank you for sharing that thats a valid reason to add the support, in the past each time apparomor gets enabled it breaks a lot of other things... I curious how it would affect addons or other normal use cases |
ok-to-build-iso |
if we I think we should have a flag to like --apparomor so if users face issues they could disable it. |
You're welcome. Indeed, it does seem like a good idea. I wasn't aware that it was implemented long ago but disabled due to breaking changes. Regarding the new flag, I'm not sure how to dynamically ignore things by buildroot, specifically referring to the |
yes I think there was issues with github action running with apparmor (for KIC - docker/podman drivers) @nnzv the ISO build failed btw but not related to this PR (yet) the build failure is due to the changes in SHA by containernetworking/plugins#1038 that they unexpectedly built the binary and overwrote the previous ones for enable disabling it I am thinking if there should be a linux command to turn it on or off after the ISO is built. so if users start minikube --apparmor=true it would be enabled in the kernel module. that way we would not have a lot of new headaches for breaking people's existing workflows |
/ok-to-build-iso |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
After researching, I found that apparmor can't be activated as a kernel module. So, with this setup, the kernel won't use apparmor LSM by default. To enable it dynamically, we may need to tweak kernel parameters in the grub.cfg
. So, after setting up a node, we'd SSH in, adjust the grub.cfg
, or generate it with grub-mkconfig after editing /etc/default/grub
.
minikube ssh
# ...
vi /etc/default/grub
# ...
grep CMDLINE_LINUX /etc/default/grub
# GRUB_CMDLINE_LINUX="... apparmor=1 security=apparmor ..."
grub-mkconfig -o /boot/grub/grub.cfg
# ...
If for some reason Minikube doesn't handle the modification of the grub configuration, we can manually edit /boot/grub/grub.cfg
or its equivalent on the node to add the required kernel parameters. Afterward, a reboot is required for the kernel to recognize the new LSM. Of course, this explanation is simply to outline the process; ideally, automation could be achieved using a boolean flag variable like --apparmor
, as you mentioned.
No worries. It's committed now. Since I don't have my ThinkPad (the one I used for development) with me, I'll wait for Minikube's CI to finish building the ISO. Once that's done, I'll test the POC I mentioned earlier, specifically about enabling apparmor with kernel parameters. Enabling it by default (adding
|
This comment has been minimized.
This comment has been minimized.
Hi @nnzv, we have updated your PR with the reference to newly built ISO. Pull the changes locally if you want to test with them or update your PR further. |
This comment has been minimized.
This comment has been minimized.
Hey @medyagh, could we give "ok-to-build-iso" another shot? I've checked the ISO created by the bot, but it seems my changes weren't taken into account (494ee1d and e109ed0). By the way, do you happen to know how we can tweak kernel parameters? I'm aware that each architecture in |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
@nnzv sure can you plz rebase your PR so I can trigger it one more time ? |
/ok-to-build-iso |
This comment has been minimized.
This comment has been minimized.
Hi @nnzv, we have updated your PR with the reference to newly built ISO. Pull the changes locally if you want to test with them or update your PR further. |
kvm2 driver with docker runtime
Times for minikube ingress: 25.4s 24.0s 25.0s 23.5s 23.9s Times for minikube start: 47.5s 45.3s 49.4s 49.8s 47.9s docker driver with docker runtime
Times for minikube ingress: 21.8s 20.8s 21.8s 21.3s 21.8s Times for minikube start: 24.2s 24.5s 23.7s 24.3s 23.6s docker driver with containerd runtime
Times for minikube start: 23.0s 23.3s 23.5s 22.5s 23.4s Times for minikube ingress: 31.3s 30.8s 30.8s 32.3s 32.3s |
This comment has been minimized.
This comment has been minimized.
These are the flake rates of all failed tests.
Too many tests failed - See test logs for more details. To see the flake rates of all tests by environment, click here. |
Alright, so we got the utils binaries in place. But now, we need to activate apparmor using kernel parameters. It's disabled at boot by default to prevent potential issues in case minikube decides to utilize another LSM like Selinux in the future. minikube ssh
aa-enabled
# No - disabled at boot. I see there's an minikube ssh
sudo su -
mkdir /boot/syslinux
cat << EOF > /boot/syslinux/syslinux.cfg
APPEND apparmor=1 security=apparmor
EOF
reboot Data isn't sticking around after a reboot, which is essential for loading "syslinux.cfg" to enable apparmor. From what I gather, there are specific directories that the iso keeps intact after a reboot, like minikube ssh
ls -l /boot
# total 21956
# -rw-r--r-- 1 root root 22482368 May 30 04:42 bzImage |
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
Hi folks, any updates on when this will get merged? |
The Kubernetes project currently lacks enough contributors to adequately respond to all PRs. This bot triages PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
The Kubernetes project currently lacks enough active contributors to adequately respond to all PRs. This bot triages PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten |
My additions in https://github.com/mhils/minikube/commits/patch-apparmor/ make |
Implemented AppArmor support for Minikube on both aarch64 and x86_64 architectures. Testing pending, relying on documentation for guidance. Excluded unnecessary extras:
BR2_PACKAGE_APPARMOR_PROFILES
: Community profiles deemed non-essential for Minikube users.