cloudfoundry-incubator / kubo-release

Kubernetes BOSH release
https://www.cloudfoundry.org/container-runtime/
Apache License 2.0
161 stars 76 forks source link

There's no mechanism to apply AppArmor profiles to the nodes #218

Open tvs opened 6 years ago

tvs commented 6 years ago

Is this a BUG REPORT or FEATURE REQUEST?: /kind feature

What happened:

AppArmor is a Mandatory Access Control (MAC) system which is a kernel (LSM) enhancement to confine programs to a limited set of resources. AppArmor's security model is to bind access control attributes to programs rather than to users. AppArmor confinement is provided via profiles loaded into the kernel, typically on boot. AppArmor profiles can be in one of two modes: enforcement and complain. Profiles loaded in enforcement mode will result in enforcement of the policy defined in the profile as well as reporting policy violation attempts (either via syslog or auditd). Profiles in complain mode will not enforce policy but instead report policy violation attempts.

Kubernetes is integrated with AppArmor

AppArmor can help you to run a more secure deployment by restricting what containers are allowed to do, and/or provide better auditing through system logs. However, it is important to keep in mind that AppArmor is not a silver bullet and can only do so much to protect against exploits in your application code. It is important to provide good, restrictive profiles, and harden your applications and cluster from other angles as well.

In short, AppArmor could be leveraged in concert with a MutatingAdmissionWebhook to apply additional restrictions against created containers (e.g. preventing access to certain directories, writing to files, etc.).

Our Stemcells currently support AppArmor:

# cat /sys/module/apparmor/parameters/enabled
Y

And we can apply an AppArmor profile:

# apparmor_parser -q <<EOF
#include <tunables/global>

profile k8s-apparmor-example-deny-write flags=(attach_disconnected) {
  #include <abstractions/base>

  file,

  # Deny all file writes.
  deny /** w,
}
EOF

Unfortunately, there doesn't appear to be a mechanism for applying AppArmor profiles to the various worker nodes. While we can manually apply profiles on a per-worker basis (through SSH) these profiles won't persist through VM resurrection.

What you expected to happen: It would be nice to have a mechanism by which we can export AppArmor profiles to every worker node during deployment. The profiles should be operator-providable.

How to reproduce it (as minimally and precisely as possible): The AppArmor Example shows the basic steps involved in applying AppArmor profiles and leveraging the Kubernetes integration.

Environment:

cf-gitbot commented 6 years ago

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/158274232

The labels on this github issue will be updated when the story is started.

karampok commented 6 years ago

Maybe we can also follow how we do apparmor profiles in CFAR and garden-runc