Closed lucj closed 2 months ago
I tried this again and it works for me.
I'm doing this exercice on a AppArmor scenario of killercoda. When I use this policy on a worker node.
#include <tunables/global>
profile network-deny flags=(attach_disconnected) {
#include <abstractions/base>
network,
}
I get this error message while checking the log of the network-call pod:
k logs network-call
/bin/sh: can't open '/entrypoint.sh': Permission denied
This is why I used this policy instead (but I'm not 100% sure this is the correct one :) )
#include <tunables/global>
profile network-deny flags=(attach_disconnected) {
#include <abstractions/base>
file,
deny network,
}
With that one I get:
k logs network-call
ping: bad address 'google.com'
ping: bad address 'google.com'
I'm not an expert in apparmor (far from that :) ) so I was curious about the reason there was no deny keyword in front of the network resource in the original profile.
Also, I'm using 1.30 (the current version used in the CKS), the apparmor profile should now go into the securityContext instead of inside of an annotation.
Any idea what I'm doing wrong ?
I upgraded my Vagrant setup to Kubernetes 1.30: https://github.com/bmuschko/cks-crash-course/commit/ad91300ad94595705457febf35da7e2d71af6f95
I still can't reproduce the issue. What version of AppArmor are you using in the your or the Killercoda environment? This is what I have:
$ vagrant@kube-worker-1:~$ dpkg -l apparmor | tee
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==============-=================-============-======================================
ii apparmor 2.13.3-7ubuntu5.3 amd64 user-space parser utility for AppArmor
Can you point me to the Killercoda scenario you are using?
Sorry for my late reply... I've used this one: https://killercoda.com/killer-shell-cks/scenario/apparmor This is using AppArmor 2.13.3-7ubuntu5.1
I tried out the Killercoda scenario, set up and enforced the profile on node-1
, and see the expected result. You may be missing some step.
Thanks for testing this. I'm closing as this is probably something on my end.
The apparmor profile provided in the solution does not work for me:
Instead I used this one:
Any idea of the problem ?