Open tvs opened 6 years ago
We have created an issue in Pivotal Tracker to manage this:
https://www.pivotaltracker.com/story/show/158274232
The labels on this github issue will be updated when the story is started.
Maybe we can also follow how we do apparmor profiles in CFAR and garden-runc
Is this a BUG REPORT or FEATURE REQUEST?: /kind feature
What happened:
Kubernetes is integrated with AppArmor
In short, AppArmor could be leveraged in concert with a MutatingAdmissionWebhook to apply additional restrictions against created containers (e.g. preventing access to certain directories, writing to files, etc.).
Our Stemcells currently support AppArmor:
And we can apply an AppArmor profile:
Unfortunately, there doesn't appear to be a mechanism for applying AppArmor profiles to the various worker nodes. While we can manually apply profiles on a per-worker basis (through SSH) these profiles won't persist through VM resurrection.
What you expected to happen: It would be nice to have a mechanism by which we can export AppArmor profiles to every worker node during deployment. The profiles should be operator-providable.
How to reproduce it (as minimally and precisely as possible): The AppArmor Example shows the basic steps involved in applying AppArmor profiles and leveraging the Kubernetes integration.
Environment:
kubectl version
): 1.10.3aws
,gcp
,vsphere
): all