Closed raonitimo closed 2 months ago
/sig docs /language en
/kind feature
https://kubernetes.io/docs/tutorials/security/apparmor/#before-you-begin I think the above link can help you with your issue.
/retitle Missing documentation for apparmor.security.beta.kubernetes.io/defaultProfileName
annotation key
/triage accepted
/kind bug (because all official annotations should be registered) /remove-kind feature
/priority backlog
We should add details of the annotation to https://kubernetes.io/docs/reference/labels-annotations-taints/
/assign
In fact, it seems the annotation doesn't apply to ephemeral containers. So, it'd be good to document ephemeral containers behavior with AppArmor profiles.
When I tested, even with the defaultProfileName annotation, ephemeral containers got assigned the runtime default profile cri-containerd.apparmor.d
which I think it's this one for containerd.
Setting the ephemeral container as privileged makes it run unconfined
, which matches my reading of this code:
https://github.com/containerd/containerd/blob/5b097a0817e4aa9f2310710478b0ddc896e490f4/pkg/cri/server/container_create_linux.go#L547
I'm happy to raise a PR if that understanding is correct.
I'm happy to raise a PR if that understanding is correct.
Please do, you're very welcome to. If you're not 100% sure the information is right, mention that in the PR description - reviewers will thank you.
/lifecycle frozen
Issue type: Feature Request
There is an information gap in the kubernetes documentation in which no information is provided for how to set the default AppArmor profile.
What would you like to be added
A brief description of the "apparmor.security.beta.kubernetes.io/defaultProfileName" annotation and how to use it for setting a default AppArmor profile to the pod.
Why is this needed
Users might want to set a default AppArmor profile to all containers in a pod.
My specific use-case: I want to run an ephemeral (debug) container on a Pod but the default containerd AppArmor profile blocks ptrace syscalls. I need the ephemeral container to be unconfined. I can't add apparmor annotations to an existing pod. And when creating a pod with an apparmor annotation, it validates if the pod has a container that matches the container_name in the annotation key. So I'll set
apparmor.security.beta.kubernetes.io/defaultProfileName: unconfined
.Page to Update
tutorials/security/apparmor