docs/doc/source/security/kubernetes/enable-disable-apparmor-on-a-host-63a7a184d310.rst

.. _enable-disable-apparmor-on-a-host-63a7a184d310:

=================================
Enable/Disable AppArmor on a Host
=================================

By default, AppArmor is disabled on a host. It can be enabled in the kernel
using system CLI commands as follows. In the below example AppArmor is enabled
on controller-0.

.. note::

    Enabling AppArmor can result in some performance degradation, see |org|
    System Engineering Guidelines.

.. note::

    On a multi-host configuration, AppArmor should be enabled on all hosts to
    ensure that the AppArmor profiles are loaded on any host where a pod may be
    scheduled by kubernetes.

#.  To enable AppArmor on a host, run the following commands:

    .. code-block:: none

        ~(keystone_admin)]$ system host-lock controller-0
        ~(keystone_admin)]$ system host-update controller-0 apparmor=enabled
        ~(keystone_admin)]$ system host-unlock controller-0

    Wait for controller-0 to reset and return to an unlocked/enabled/available
    state.

#.  Verify if AppArmor is enabled by running the following commands on the
    host.

    .. code-block:: none

        sysadmin@controller-0:~$ aa-enabled

        Yes

To disable AppArmor on a host, run the following commands.

#.  In the below example AppArmor is disabled on controller-0.

    .. code-block:: none

        ~(keystone_admin)]$ system host-lock controller-0
        ~(keystone_admin)]$ system host-update controller-0 apparmor=disabled
        ~(keystone_admin)]$ system host-unlock controller-0

    Wait for controller-0 to reset and return to an unlocked/enabled/available
    state.

#.  Verify if AppArmor is disabled by running the following commands on the
    host.

    .. code-block:: none

        sysadmin@controller-0:~$ aa-enabled

        No