Story: 2010310 Task: 47620 Signed-off-by: Elisamara Aoki Goncalves <elisamaraaoki.goncalves@windriver.com> Change-Id: I97065a0d0c345bb32663e1ff631c5c4ca524231d
3.9 KiB
Install Security Profiles Operator (SPO)
In order to apply the profiles to a particular pod, the profiles need to be available to the host machine where the pod is launched. Security Profile Operator (SPO, https://github.com/kubernetes-sigs/security-profiles-operator) provides AppArmor profile management (i.e. loading/unloading) across Kubernetes nodes. defines an AppArmor Profile , such that end users' can define AppArmor profiles for to manage.
is packaged as a system application and is managed using system application commands. To install , use the following procedure.
AppArmor should be enabled on the host(s) (described in Enable/Disable
AppArmor on a Host <enable-disable-apparmor-on-a-host-63a7a184d310>
),
where workloads need to be protected using AppArmor.
Locate the tarball in
/usr/local/share/applications/helm
.For example:
/usr/local/share/applications/helm/security-profiles-operator-<version>.tgz
Upload the application.
~(keystone_admin)]$ system application-upload /usr/local/share/applications/helm/security-profiles-operator-<version>.tgz
Verify the tarball has been uploaded.
~(keystone_admin)]$ system application-list
Apply the application.
~(keystone_admin)]$ system application-apply security-profiles-operator
Monitor the status.
~(keystone_admin)]$ watch -n 5 system application-list OR ~(keystone_admin)]$ watch kubectl get pods -n security-profiles-operator
The configuration of the installed
security-profiles-operator
application is as follows:
security-profiles-operator
-
Runs as a deployment, replica count of 3 on the controller(s).
security-profiles-operator-webhook
-
Runs as a deployment, replica count of 3.
spod
-
Runs as a daemonset on every Kubernetes host (i.e., controller(s) and worker(s)), where application pods can be scheduled.
Remove Security Profiles Operator (SPO)
Run the following commands to remove . This will remove pods and other resources created by the application installation.
Note
This procedure does not remove the apparmor profiles created using ,
You can delete the profiles previously created by following the
procedure described in Delete a profile across all hosts using SPO
<delete-a-profile-across-all-hosts-using-spo>
.
If an AppArmor profile is deleted, all pods with that AppArmor profile annotation should be either removed or updated to remove the annotation.
Remove the application.
~(keystone_admin)]$ system application-remove security-profiles-operator
Delete the application.
~(keystone_admin)]$ system application-delete security-profiles-operator
Note
To remove AppArmor from a deployment requires removing as specified
in this section and then disabling AppArmor on all the host(s). For more
details, see Enable/Disable AppArmor on a Host
<enable-disable-apparmor-on-a-host-63a7a184d310>
.
Disable AppArmor from a StarlingX deployment
To disable AppArmor from a deployment, need to follow below steps:
- Remove system app (refer to
Remove Security Profiles Operator (SPO) <remove-security-profiles-operator-spo>
). - Disable AppArmor on host(s) (refer to
Enable/Disable AppArmor on a Host <enable-disable-apparmor-on-a-host-63a7a184d310>
).