docs/doc/source/security/kubernetes/install-security-profiles-operator-1b2f9a0f0108.rst
Elisamara Aoki Goncalves ace0287d7a AppArmor Support (dsR8)
Story: 2010310
Task: 47620

Signed-off-by: Elisamara Aoki Goncalves <elisamaraaoki.goncalves@windriver.com>
Change-Id: I97065a0d0c345bb32663e1ff631c5c4ca524231d
2023-04-25 15:53:17 -03:00

3.9 KiB

Install Security Profiles Operator (SPO)

In order to apply the profiles to a particular pod, the profiles need to be available to the host machine where the pod is launched. Security Profile Operator (SPO, https://github.com/kubernetes-sigs/security-profiles-operator) provides AppArmor profile management (i.e. loading/unloading) across Kubernetes nodes. defines an AppArmor Profile , such that end users' can define AppArmor profiles for to manage.

is packaged as a system application and is managed using system application commands. To install , use the following procedure.

AppArmor should be enabled on the host(s) (described in Enable/Disable AppArmor on a Host <enable-disable-apparmor-on-a-host-63a7a184d310>), where workloads need to be protected using AppArmor.

  1. Locate the tarball in /usr/local/share/applications/helm.

    For example:

    /usr/local/share/applications/helm/security-profiles-operator-<version>.tgz
  2. Upload the application.

    ~(keystone_admin)]$ system application-upload /usr/local/share/applications/helm/security-profiles-operator-<version>.tgz
  3. Verify the tarball has been uploaded.

    ~(keystone_admin)]$ system application-list
  4. Apply the application.

    ~(keystone_admin)]$ system application-apply security-profiles-operator
  5. Monitor the status.

    ~(keystone_admin)]$ watch -n 5 system application-list
    
    OR
    
    ~(keystone_admin)]$ watch kubectl get pods -n security-profiles-operator

The configuration of the installed security-profiles-operator application is as follows:

security-profiles-operator

Runs as a deployment, replica count of 3 on the controller(s).

security-profiles-operator-webhook

Runs as a deployment, replica count of 3.

spod

Runs as a daemonset on every Kubernetes host (i.e., controller(s) and worker(s)), where application pods can be scheduled.

Remove Security Profiles Operator (SPO)

Run the following commands to remove . This will remove pods and other resources created by the application installation.

Note

This procedure does not remove the apparmor profiles created using , You can delete the profiles previously created by following the procedure described in Delete a profile across all hosts using SPO <delete-a-profile-across-all-hosts-using-spo>.

If an AppArmor profile is deleted, all pods with that AppArmor profile annotation should be either removed or updated to remove the annotation.

  1. Remove the application.

    ~(keystone_admin)]$ system application-remove security-profiles-operator
  2. Delete the application.

    ~(keystone_admin)]$ system application-delete security-profiles-operator

Note

To remove AppArmor from a deployment requires removing as specified in this section and then disabling AppArmor on all the host(s). For more details, see Enable/Disable AppArmor on a Host <enable-disable-apparmor-on-a-host-63a7a184d310>.

Disable AppArmor from a StarlingX deployment

To disable AppArmor from a deployment, need to follow below steps:

  1. Remove system app (refer to Remove Security Profiles Operator (SPO) <remove-security-profiles-operator-spo>).
  2. Disable AppArmor on host(s) (refer to Enable/Disable AppArmor on a Host <enable-disable-apparmor-on-a-host-63a7a184d310>).