- A Cloud Guru
Protect a Kubernetes Cluster with AppArmor
AppArmor is a great way to provide additional security within a Kubernetes cluster. This lab will allow you to practice your skills with using AppArmor in Kubernetes by installing AppArmor in a cluster and using it to secure some containers.
Table of Contents
Enforce the AppArmor Profile
On both the control plane and worker servers, there is an AppArmor profile configuration file located at
/home/cloud_user/apparmor-k8s-deny-write. Load the AppArmor profile represented in this file.
The profile is called
k8s-deny-write. It prevents the container from being able to write anything to disk. You will need to load the profile on both the control plane and worker servers.
Configure the password-db Pod to Run Its Container Using the AppArmor Profile
On the control plane server, there is a Pod in the
password-db. This Pod is writing sensitive password information to a log file. The Pod does not actually need to write to the disk in order to its job.
k8s-deny-writeAppArmor profile to the Pod's container to prevent it from being able to write any sensitive data to the container file system. There is a manifest file or this Pod located at
/home/cloud_user/password-db-pod.yml. Once you have made your changes to the manifest file, delete the Pod and use the manifest to re-create it.
You can check the Pod's log to see whether it is writing sensitive information to the disk.
What's a lab?
Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.