GKE AppArmor profile is unconfined eventhough the node has it defined and working

Question

I am trying to load an apparmor profile I created using GKE and some of the following instructions.

To apply the created app armor profile I followed this instructions:

https://cloud.google.com/container-optimized-os/docs/how-to/secure-apparmor#creating_a_custom_security_profile

which is just the apparmor parser applied to the node[s], and some follow up instructions to apply this same profile creation during restart of the node. Basically is running the following line:

/sbin/apparmor_parser --replace --write-cache /etc/apparmor.d/no_raw_net

and testing that a container with this profile is secured as expected.

As a second step I defined an environment variable with the apparmor profile name inside of an environment variable of the pod. As explained in here:

https://cloud.google.com/migrate/anthos/docs/troubleshooting/app-armor-profile

Basically is defining the pod in this way:

spec:
  containers:
  - image: gcr.io/my-project/my-container:v1.0.0
    name: my-container
    env:
    - name: HC_APPARMOR_PROFILE
      value: "apparmor-profile-name"
    securityContext:
      privileged: true

Inside of the host the apparmor profile works as expected. But I cannot provide this profile.

Also tried removing the security context section of the pod that is defined as true in the documentation for gke.

Last but not least I tried with k8s pod annotation which is a feature of k8s to set a profile to a given container as explained here:

https://kubernetes.io/docs/tutorials/security/apparmor/

with this the pod looks like this:

apiVersion: v1
kind: Pod
metadata:
  name: hello-apparmor-2
  annotations:
    container.apparmor.security.beta.kubernetes.io/hello: localhost/k8s-apparmor-example-allow-write
spec:
  containers:
  - name: hello
    image: busybox
    command: [ "sh", "-c", "echo 'Hello AppArmor!' && sleep 1h" ]

but also had no good luck to apply the given profile.

Also tried to apply user-data config as a custom metadata for the cloud-init of the node instance, so it can add also the profile I created to app armor, and double check that the creation matters is not an issue but the edition of the cluster matadata is disable post creation of the cluster, and the creation of a new cluster node with the user-data is not allowed due to the fact that user-data is reserved for the container optimized os user data that will be defined by google.

No matter what I do I always end up either having unconfined profile for the current container or "cri-containerd.apparmor.d (enforce)" depending if the security context is set to true or not...

Do you have any advice on how can I provide the given profile to a pod in GKE?

Answer 1

As mentioned I missed the way I was naming things, but besides that I also would like to mention one more alternative: https://github.com/kubernetes-sigs/security-profiles-operator which is to work with some kubernetes CRDs that allows to integrate with apparmor, seccomp, and SELinux.

Some of the implementation like AppArmor looks like it is still in WIP at the moment of this writing and I hope this initiative moves forward.