Missing documentation for `apparmor.security.beta.kubernetes.io/defaultProfileName` annotation key

kubernetes / website

Kubernetes website and documentation repo:

https://kubernetes.io

Creative Commons Attribution 4.0 International

4.46k stars 14.36k forks source link

Missing documentation for `apparmor.security.beta.kubernetes.io/defaultProfileName` annotation key #43310

Closed raonitimo closed 2 months ago

raonitimo commented 1 year ago

Issue type: Feature Request

There is an information gap in the kubernetes documentation in which no information is provided for how to set the default AppArmor profile.

What would you like to be added

A brief description of the "apparmor.security.beta.kubernetes.io/defaultProfileName" annotation and how to use it for setting a default AppArmor profile to the pod.

Why is this needed

Users might want to set a default AppArmor profile to all containers in a pod.

My specific use-case: I want to run an ephemeral (debug) container on a Pod but the default containerd AppArmor profile blocks ptrace syscalls. I need the ephemeral container to be unconfined. I can't add apparmor annotations to an existing pod. And when creating a pod with an apparmor annotation, it validates if the pod has a container that matches the container_name in the annotation key. So I'll set apparmor.security.beta.kubernetes.io/defaultProfileName: unconfined.

Page to Update

tutorials/security/apparmor

niranjandarshann commented 1 year ago

/sig docs /language en

aj11anuj commented 1 year ago

/kind feature

niranjandarshann commented 1 year ago

https://kubernetes.io/docs/tutorials/security/apparmor/#before-you-begin I think the above link can help you with your issue.

sftim commented 1 year ago

/retitle Missing documentation for apparmor.security.beta.kubernetes.io/defaultProfileName annotation key /triage accepted

/kind bug (because all official annotations should be registered) /remove-kind feature

sftim commented 1 year ago

/priority backlog

sftim commented 1 year ago

We should add details of the annotation to https://kubernetes.io/docs/reference/labels-annotations-taints/

MeenuyD commented 1 year ago

/assign

raonitimo commented 1 year ago

In fact, it seems the annotation doesn't apply to ephemeral containers. So, it'd be good to document ephemeral containers behavior with AppArmor profiles.

When I tested, even with the defaultProfileName annotation, ephemeral containers got assigned the runtime default profile cri-containerd.apparmor.d which I think it's this one for containerd.

Setting the ephemeral container as privileged makes it run unconfined, which matches my reading of this code: https://github.com/containerd/containerd/blob/5b097a0817e4aa9f2310710478b0ddc896e490f4/pkg/cri/server/container_create_linux.go#L547

raonitimo commented 1 year ago

I'm happy to raise a PR if that understanding is correct.

sftim commented 1 year ago

I'm happy to raise a PR if that understanding is correct.

Please do, you're very welcome to. If you're not 100% sure the information is right, mention that in the PR description - reviewers will thank you.

sftim commented 3 months ago

/lifecycle frozen