search

bmuschko / cks-crash-course

In-depth and hands-on practice for acing the exam.
108 stars 129 forks source link

Cannot have exercise 5 work with apparmor profile provided #2

Closed lucj closed 2 months ago

lucj commented 3 months ago

The apparmor profile provided in the solution does not work for me:

#include <tunables/global>

profile network-deny flags=(attach_disconnected) {
  #include <abstractions/base>

  network,
}

Instead I used this one:

#include <tunables/global>

profile network-deny flags=(attach_disconnected) {
  #include <abstractions/base>

  file,
  deny network,
}

Any idea of the problem ?

bmuschko commented 3 months ago

I tried this again and it works for me.

  1. Did you use the Vagrant setup provided in this exercise?
  2. Did you perform the actions on the worker node?
lucj commented 3 months ago

I'm doing this exercice on a AppArmor scenario of killercoda. When I use this policy on a worker node.

#include <tunables/global>

profile network-deny flags=(attach_disconnected) {
  #include <abstractions/base>

  network,
}

I get this error message while checking the log of the network-call pod:

k logs network-call 
/bin/sh: can't open '/entrypoint.sh': Permission denied

This is why I used this policy instead (but I'm not 100% sure this is the correct one :) )

#include <tunables/global>

profile network-deny flags=(attach_disconnected) {
  #include <abstractions/base>

  file,
  deny network,
}

With that one I get:

k logs network-call 
ping: bad address 'google.com'
ping: bad address 'google.com'

I'm not an expert in apparmor (far from that :) ) so I was curious about the reason there was no deny keyword in front of the network resource in the original profile.

Also, I'm using 1.30 (the current version used in the CKS), the apparmor profile should now go into the securityContext instead of inside of an annotation.

Any idea what I'm doing wrong ?

bmuschko commented 3 months ago

I upgraded my Vagrant setup to Kubernetes 1.30: https://github.com/bmuschko/cks-crash-course/commit/ad91300ad94595705457febf35da7e2d71af6f95

I still can't reproduce the issue. What version of AppArmor are you using in the your or the Killercoda environment? This is what I have:

$ vagrant@kube-worker-1:~$ dpkg -l apparmor | tee
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name           Version           Architecture Description
+++-==============-=================-============-======================================
ii  apparmor       2.13.3-7ubuntu5.3 amd64        user-space parser utility for AppArmor

Can you point me to the Killercoda scenario you are using?

lucj commented 3 months ago

Sorry for my late reply... I've used this one: https://killercoda.com/killer-shell-cks/scenario/apparmor This is using AppArmor 2.13.3-7ubuntu5.1

bmuschko commented 2 months ago

I tried out the Killercoda scenario, set up and enforced the profile on node-1, and see the expected result. You may be missing some step.

image
lucj commented 2 months ago

Thanks for testing this. I'm closing as this is probably something on my end.